In the biggest theft of U.S. government records in this nation’s history, the Office of Personnel Management (OPM) late Thursday announced that the sensitive information of 21.5 million individuals was compromised in the second major hack of its IT systems this year.

Together with the first breach announced at the beginning of last month, the total number of compromised records now stands at 25.7 million; however, the total number of individuals affected stands at 22.1 million since 3.6 million people were affected by both breaches, according to OPM Press Secretary Sam Schumach.

Although the numbers are staggering, the sensitivity of the data stolen is hard to quantify.

The OPM has said that every security clearance background investigation found on Standard Form 86, 85 and 85P since the year 2000 was accessed by adversaries—totaling 19.7 million individuals. Social Security numbers (SSNs) of 21.5 million current, former and prospective federal employees, as well as certain spouses or cohabitants of applicants, were compromised in the second hack.

The OPM has also said that stolen data includes 1.1 million biometric fingerprints, “residency and educational history; employment history; information about immediate family and other personal and business acquaintances; health, criminal and financial history, and other details.”

Although the background checks can include “information regarding mental health and financial history provided by those that have applied for a security clearance … there is no evidence that separate systems that store information regarding the health, financial, payroll and retirement records of federal personnel were impacted,” the OPM stated in its press release.

Immediately following Thursday’s announcement, several lawmakers once again called for the resignation of OPM Director Katherine Archuleta and Chief Information Officer Donna Seymour.

Late Friday morning, Archuleta answered those calls by resigning from her position, according to the National Journal. She'll be replaced by Office of Management and Budget (OMB) Deputy Director of Management Beth Cobert. There is no word yet on whether Seymour will stay on.

In her letter of resignation, Archuleta wrote, "I conveyed to the president that I believe it is best for me to step aside and allow new leadership to step in," adding she is "proud of the work we have done to develop the REDI initiative and our IT Strategic Plan."

On Thursday after the OPM breach announcement, Chairman of the House Oversight Committee Jason Chaffetz (R-UT) said, “Their negligence has now put the personal and sensitive information of 21.5 million Americans into the hands of our adversaries … Such incompetence is inexcusable.”

Sen. Mark Warner (D-VA) said, “The technological and security failures at the (OPM) predate this director’s term, but Director Archuleta’s slow and uneven response has not inspired confidence that she is the right person to manage OPM through this crisis.”

Rep. Barbara Comstock (R-VA), who herself was notified as a victim in the first OPM hack, also called for new OPM leadership, saying “this is a failure of leadership on (Archuleta’s) part, and if the president does not have the leadership to do this, I think she should step aside.”

Four Democratic senators introduced legislation late Thursday evening geared toward providing federal workers with additional protections.

The OPM also announced further steps it’s taking to help impacted individuals by providing what it calls a “comprehensive suite of monitoring and protection services” for those whose data was stolen via the security background checks. The suite includes full-service identity restoration support, identity theft insurance and monitoring for minor children, continuous credit monitoring and fraud monitoring for at least three years.

The agency has yet to begin notifying those affected, but said it is in the process of setting up a second call center with a third party. CSID has helped the OPM with its first set of breach notifications. The OPM has also introduced a cybersecurity incident resource center to provide information to victims.

FBI Director James Comey Thursday discussed the sensitive nature of this second breach. “If you have my SF-86, you know every place I’ve lived since I was 18, contact people at those addresses, neighbors at those addresses, all of my family, every place I’ve traveled outside the United States since I was 18,” he said. “If I had substantial contact with any non-United States person, it’s on there, along with the contact information of that person. Just imagine you were a foreign intelligence service and you had that data, how it might be useful to you. So it’s a big deal.”

The Obama administration has not publicly revealed who the hackers were, but when reporters asked the White House National Security Council’s Michael Daniel, he said “we’re not really prepared to comment at this time on the attribution behind this event.”

It is believed by many that China may be behind the attacks.

Reuters reports that investigators have said their prime suspect is a team with connections to China’s Ministry of State Security. CrowdStrike Chief Technology Officer Dmitri Alperovitch said his firm’s investigation of the incident leads them to believe that some part of the Chinese government is responsible. “It’s a tremendous coup for China,” he added.

Regardless of the perpetrators, the Obama administration in June announced a 30-day cybersecurity sprint aimed at getting the federal government’s cybersecurity policies in place. On Wednesday, Department of Homeland Security Secretary Jeh Johnson commented on the team created by the sprint, drawing members from the OMB's E-Gov Cyber Unit, the DHS, the National Security Council Cybersecurity Directorate and the Department of Defense.

“To be frank,” he said, “our federal cybersecurity is not where it needs to be … But we have taken, and are taking, accelerated and aggressive action to get there.”

The White House detailed many of those actions in a Fact Sheet on the 30-day sprint. In it, the administration calls for more cyber-threat information sharing and a greater partnership with private industry and reiterated calls for federal legislation.

According to the report, in the first 10 days of the cybersecurity sprint, multi-factor authentication in federal agencies has increased by 20 percent and the DHS has scanned more than 40,000 federal systems for vulnerabilities. Agencies are currently patching what the DHS has found.

The president has also announced increased cooperation with leaders from Brazil, the Gulf Cooperation Council states, India, Japan and the UK.

And though efforts are ongoing, Government Accountability Office Director of Information Security Issues Gregory Wilshusen said, “There’s till much that agencies need to do that they are not doing to protect their systems.”

The OPM Breaches: A Brief Timeline

  • November 2013: Adversaries access an OPM database and remove manuals that could be used to map certain commercially available platforms. Rep. Jason Chaffetz (R-UT) referred to these Wednesday as “blueprints” and “keys to the kingdom.”
  • May 2014 – April 2015: Adversaries breach an OPM network containing SF86 security background clearance forms. These 127-page documents can contain highly sensitive data on the subject and acquaintances.
  • June 2014 – January 2015: Adversaries become active on network containing SF86 forms. It is not yet known publicly how many, if any, were exfiltrated or manipulated. June 2014, however, appears to have been the most active month.
  • August 2014: Federal contractor U.S. Investigations Services (USIS) announces records of at least 25,000 government workers have been compromised, including those of DHS employees.
  • October 2014 – April 2015: Adversaries breach OPM personnel data stored in a Department of the Interior data center.
  • December 2014: Specific personnel records data of 4.2 million federal employees is removed by adversaries.
  • December 2014: Federal contractor KeyPoint announces records of more than 40,000 government employees have been compromised. Credentials from KeyPoint used in separate OPM breach.
  • January 2015: OPM implements two-factor authentication technology, thereby unknowingly halting certain adversarial control.
  • Mid-April 2015: DHS discovers the two OPM breaches while deploying new technology. Forensic investigation commences.
  • May 28 – 30, 2015: OPM opens up bids for vendors to aid in breach notification, identity theft protection and credit monitoring.
  • Early June, 2015: Forensics reveals that adversaries accessed SF86 forms.
  • July 9, 2015: OPM announces 21.5 million individuals affected in second breach. All SF86s filled out since 2000 have been compromised.