OPM data breach - number of hack victims rises to over 22 million

Scale of data breach means seven per cent of entire US population has had personal data stolen in the attack

The cyber attack against American government department the Office of Personnel Management (OPM) has further-reaching ramifications than previously expected, US officials have revealed.

Initially it was estimated the data breach affected 4.2 million current and former federal workers who had personal information including social security numbers stolen by hackers.

Now, however, OPM has said that 21.5 million people have been affected by a "separate but related" attack by cyber criminals, bringing the total affected by both hacks to 22.1 million people. It's a figure that amounts to seven per cent of the entire US population.

The data breach has exposed details including sensitive information about 19.7 million current, former and prospective federal government employees who applied for clearances, along with 1.8 million non-applications including partners and flatmates.

However, the OPM claims that much of the sensitive data didn't get into the hands of hackers and remains safe.

"While background investigation records do contain some information regarding mental health and financial history provided by applicants and people contacted during the background investigation, there is no evidence that health, financial, payroll and retirement records of federal personnel or those who have applied for a federal job were impacted by this incident," said an OPM statement.

Nonetheless, the incident ranks among the most damaging data breaches in US history due to the scale of the attack and the information that was stolen.

Nicko Van Someren, CTO at Good Technology, said the nature of the information stolen in the cyber attack against OPM could be devastating and the potential for the details to be used for cyber crime is high.

"The scariest thing about this breach is not just the scale of it, but the depth. The data that's been taken are the life histories of over 21 million people, not just credit card numbers. It's enough to impersonate any of these people, which is bad enough from an identity theft perspective, but when they're government employees, it's potentially devastating," he said.

It isn't currently known who was responsible for theft but director of national intelligence James Clapper has suggested that China is the "leading suspect".

While US authorities point the finger at potential suspects, Rajiv Gupta, founder and CEO of Skyhigh Networks, argued that the incident represents a critical failure of the US government itself.

"More often than not, storing sensitive data on-premise, as the OPM did, is the information security equivalent to stashing the crown jewels under your mattress," said Gupta.

"Even when it makes sense to store some sensitive data on-premise, organisations need to deploy well-developed tools to detect and block the anomalous red flags the OPM breach likely exhibited before it reached the scale it did," he added.

The US Internal Revenue Services has also recently been the victim of a data breach, although rather than accusing China, the organisation suggested that Russia was behind the cyber attack.