The Obama administration on Thursday revealed that 21.5 million people were swept up in a colossal breach of government computer systems that was far more damaging than initially thought, resulting in the theft of a vast trove of personal information, including Social Security numbers and some fingerprints.
Every person given a government background check for the last 15 years was probably affected, the Office of Personnel Management said in announcing the results of a forensic investigation of the episode, whose existence was known — but not its sweeping toll.
The agency said hackers stole “sensitive information” — including addresses, health and financial history, and other private details — from 19.7 million individuals who had applied for background investigations, as well as 1.8 million others, including their spouses and friends. The theft was separate from, but related to, a breach revealed last month that compromised the personnel data of 4.2 million federal employees, officials said.
Both attacks are believed to have originated in China, although senior administration officials on Thursday declined to pinpoint a perpetrator, except to say they had indications that the same actor carried out the two hacks.
The breaches constitute what is apparently the largest cyberattack into the systems of the U.S. government, providing a frightening glimpse of the technological vulnerabilities of federal agencies that handle sensitive information. They also seemed certain to intensify debate in Washington over what the government must do to address its substantial weaknesses in cybersecurity, long the subject of dire warnings but seldom acted upon by agencies, Congress or the White House.
“This incident that we are talking about today is unfortunately not without precedent,” said Michael Daniel, the White House cybersecurity coordinator. “We have to raise our level of cybersecurity in both the private sector and the public sector.”
In a conference call to detail the grim findings and announce the agency’s response, Katherine Archuleta, the director of the Office of Personnel Management, said she would not resign despite calls from members of Congress in both parties for her dismissal.
“I am committed to the work that I am doing at OPM,” she said. “We are working very hard, not only at OPM but across government, to ensure the cybersecurity of all our systems, and I will continue to do so.”
She announced new security measures that would be installed at the agency as well as free credit and identity theft monitoring for the victims of the breach, although she said there was “no information at this time to suggest any misuse or further dissemination of the information that was stolen from OPM’s system.”
Even so, national security officials have acknowledged the seriousness of the intrusion. Before the scope was made public Thursday, FBI Director James B. Comey Jr. called the breach “a very big deal,” noting the information obtained included people’s addresses; details on their neighbors, friends and relatives; their travel destinations outside the United States; and any foreigners they had come into contact with.
“There is a treasure trove of information about everybody who has worked for, tried to work for or works for the United States government,” Comey said during a briefing. “Just imagine you are an intelligence service and you had that data, how it would be useful to you.”
Administration officials said it was OPM’s work to modernize its computer systems that first led them to detect the breach.
In April, the agency informed the Department of Homeland Security that it had found an intrusion, and the department went to work with the FBI to learn more, said Andy Ozment, a top cybersecurity official at Homeland Security. That investigation, he said, revealed the intruder had broken into a computer network at the Interior Department that held an OPM database, leading to the theft of the personnel records of 4.2 million current and former federal employees. It also found there had been a hack at the personnel office itself, leading to the much larger trove of background check records.
Ozment said the hacker in both cases gained access to the computer systems “via a compromised credential of a contractor.”
The OPM debacle has touched off a scramble by federal officials to bolster the security of their networks. Tony Scott, the government’s chief information officer, said every agency was racing to make improvements, including implementing basic tools like two-factor authentication that requires anyone with the password to a system to use a second, one-time password to log in from an unrecognized computer.
“This is important work across all of the agencies of the federal government to make sure that we greatly enhance the cybersecurity profile of the U.S. government as a whole,” Scott said.
But that effort comes after almost two decades of warnings from government auditors and other internal investigations into the vulnerabilities in federal agency networks.
“There’s still much that agencies need to do that they are not doing to protect their systems,” said Gregory C. Wilshusen, the director of information security issues at the Government Accountability Office, which has conducted cyber audits for almost two decades.
Warnings from auditors about serious vulnerabilities are often ignored by agency officials, Wilshusen added.
“That’s been a recurring theme,” he said. “They believe they’ve taken corrective actions, but when one goes back to check, we find that they haven’t.”
The revelations quickly prompted calls for the ouster of Archuleta, whose agency had been warned in a series of reports since 2007 about the many vulnerabilities on its antiquated computer systems.
Rep. Jason Chaffetz, R-Utah, the chairman of the House Oversight Committee, said Archuleta and her top technology official should resign or be removed.
“Their negligence has now put the personal and sensitive information of 21.5 million Americans into the hands of our adversaries,” Chaffetz said. “Such incompetence is inexcusable.”
The criticism was bipartisan. Sen. Mark W. Warner, D-Va., also called on Archuleta to step down.
“The technological and security failures at the Office of Personnel Management predate this director’s term, but Director Archuleta’s slow and uneven response has not inspired confidence that she is the right person to manage OPM through this crisis,” Warner said in a statement.
That attackers were able to compromise the agency using a contractor’s credentials is unacceptable, security experts say, given the wide availability of two-factor authentication tools, which have become standard practice, particularly since a cyberattack at Target nearly two years ago, when hackers managed to break into the retailer’s system using the credentials of a heating and cooling contractor.
“A second offense is more unacceptable than the first,” said Suni Munshani, the chief executive of Protegrity, a data security company. “The OPM and government agencies need to get their act together and better protect the information of their employees and citizens.”