Cyber thieves managed to steal “sensitive information” belonging to 21.5 million U.S. citizens who applied for federal jobs, beginning in May 2014, according to the Office of Personnel Management.
The breach was not discovered until May 2015, OPM revealed in testimony before the Congress. Previous reports on the breach estimated that up to 18 million people were affected by the hack.
Among those were nearly 20 million who had allowed investigators to do deep background checks, and nearly two million more who were their life partners.
FBI Director James Comey confirmed on the Wednesday that his own data had been compromised as well.
Some of the files included “residency and educational history; employment history; information about immediate family and other personal and business acquaintances; health, criminal and financial history; and other details,” OPM said in a statement Thursday.
The massive cyber heist is separate from one that was reported earlier this year, in which hackers stole the personal data of 4.2 million past and present federal employees.
In addition to social security numbers and other personal information, copies of approximately 1.1 million records of fingerprints were stolen, according to the statement issued by OPM. Some of the records also included “findings from interviews conducted by background investigators” as well as the user names and passwords that applicants used to fill out investigation forms. The agency also noted that some mental health and financial information was included in the security clearance files affected by the breach.
Sources said there is evidence linking the breaches to China, although there have been no official statements on the connection.
In response to the attacks, agency direcctor Katherine Archuleta wrote in a blog post Thursday that she would create a position for a cyber security adviser at OPM, who would be tasked with establishing an online cyber security incident resource center and consulting with private sector experts on technology threats.
The agency is offering identity theft monitoring and protection services, and credit to those whose records were compromised in the breach.