Hackers who stole security clearance data on millions of Defense Department and other U.S. government employees got away with about 5.6 million fingerprint records, some 4.5 million more than initially reported, the government said on Wednesday. Reports
The additional stolen fingerprint records were identified as part of an ongoing analysis of the data breach by the Office of Personnel Management and the Department of Defense, OPM said in a statement. The data breach was discovered this spring and affected security clearance records dating back many years.
The news came just ahead of a state visit to Washington by Chinese President Xi Jinping. U.S. officials have privately blamed the breach on Chinese government hackers, but they have avoided saying so publicly.
U.S. officials have said no evidence has surfaced yet suggesting the stolen data has been abused, though they fear the theft could present counterintelligence problems.
White House spokesman Josh Earnest said on Wednesday the investigation into the data breach, which affected the records of some 21.5 million federal workers, was continuing and he did not “have any conclusions to share publicly about who may or may not have been responsible.”
He indicated the OPM announcement was not related to Xi’s visit but instead came about because officials at OPM had met with members of Congress and told them about the fingerprints and so needed to release the information to the public as well.
Officials from OPM and the Defense Department only recently discovered that the additional fingerprints had been stolen as they continued to assess the data breach, OPM said in a statement.
During that process, officials “identified archived records containing additional fingerprint data not previously analyzed,” the OPM statement said. As a result, the estimated number of people who had fingerprint records stolen rose to 5.6 million from the 1.1 million initially reported, it said.
OPM said the total number of people affected by the breach was still believed to be 21.5 million.
Senator Ben Sasse, a Nebraska Republican who has accused the administration of failing to take cybersecurity seriously, said the OPM announcement was further evidence that officials viewed the data breach as “a PR (public relations) crisis instead of a national security threat.”
The individuals affected by the breach have not yet been notified. The OPM statement said the personnel office and Defense Department were working together to begin mailing notifications to those affected.