More than 21.5 million Americans had their personal information compromised in the second breach of Office of Personnel Management networks, officials said Thursday, announcing a number well above any previous estimates.
Some 3.6 million of those affected in the second breach were also compromised in the first breach, which affected 4.2 million federal employees. The combined tally brings the total number up to 22.1 million.
That number represents about 6.9 percent of the nation's population, which was pegged at 319 million in 2014.
OPM Data Breach: What You Need to Know
"If an individual underwent a background investigation through OPM in 2000 or afterwards, it is highly likely that the individual is impacted by this cyber breach," an OPM official said Thursday. "If an individual underwent a background investigation prior to 2000, that individual still may be impacted but it is less likely."
In June, OPM confirmed that hackers had broken into a database housing background investigations on all current, former and prospective federal employees seeking security clearances over the last 20 years. That database included highly sensitive Standard Form 86 documents, which also include information on family members and close friends, extending the tally beyond just federal employees.
Candidates for security clearances make up 19.7 million of those affected in the second breach. An additional 1.8 million family members and other associates were also compromised, OPM Director Katherine Archuleta said Thursday.
Officials noted a separate system containing information on health, finances, payroll and retirement records was not compromised in either breach. However, the stolen data does include interviews conducted with family members and roommates, as well as some 1.1 million fingerprints.
"It is an enormous breach," FBI Director James Comey said while testifying in front of the Senate Intelligence Committee on July 8. "A huge amount of data that is personal and sensitive to federal employees, former federal employees, people who have applied for federal employment was available to the adversary and we have to assume that it was looked at and/or exfiled. We're talking about millions and millions of people affected by this."
Comey noted the hackers likely got his information, as well, which includes information on his family and friends.
OPM is offering at least three years of credit monitoring to individuals affected in the second breach, along with identity theft insurance and victim recovery assistance.
Archuleta said the agency is considering extending that to the additional 600,000 employees exposed in just the first breach and possibly going further.
"We are working very closely with our interagency partners to determine whether the services for identity theft protection should become part of a benefit that we would provide to all federal employees," she said Thursday.
Archuleta added that there is no evidence to date that any data has been used to commit fraud, such as opening up an unauthorized credit card.
"To those that have been directly affected by this theft of information, I truly understand the impact this has on our current and former federal employees, our military personnel and our contractors," she said. "Each and every one of us at OPM is committed to protecting the safety and security of the information that is placed in our trust. And we remain committed to do everything in our power to assist those that have been impacted by this incident."
Aaron Boyd is an awarding-winning journalist currently serving as editor of Federal Times — a Washington, D.C. institution covering federal workforce and contracting for more than 50 years — and Fifth Domain — a news and information hub focused on cybersecurity and cyberwar from a civilian, military and international perspective.