The breach that exposed at least 4 million federal employee records held by the Office of Personnel Management was significantly larger than first reported, with hackers accessing at least one other database that contains highly sensitive data from background investigations.
Investigators discovered the second breach while looking into the massive hack, according to a senior White House official familiar with the investigation.
A deeper dive into the breach unveiled a "high degree of confidence that OPM systems containing information related to the background investigations of current, former and prospective federal government employees, and those for whom a federal background investigation was conducted, may have been exfiltrated," the official said.
This second breach — which officials described as a "separate intrusion affecting a different set of OPM systems and data" — gave hackers access to information beyond just names, birthdates and Social Security numbers.
Officials declined to give details on the scope of this second breach, saying the investigation was still ongoing, but confirmed intruders were able to steal information on background checks on current, former and potential federal employees at civilian and defense agencies.
Independent reports have put the total number affected anywhere between 5 million and 15 million.
Background checks conducted through OPM include disclosures like Standard Form 86, which requires applicants to fill out information for national security clearances.
Along with standard personally identifiable information, the application asks for deeply personal information, from a full accounting of where a person has lived throughout their life to foreign contacts and travels to psychological and emotional health. The form even asks for specifics on relatives and "people who know you well."
The broadening scope of the hack comes as little surprise, as investigators found early evidence that intruders attempted to breach other federal networks using the same attack. However, the large number of people affected and the highly sensitive nature of the data included in this second breach makes this a significant event.