Photographee.eu - Fotolia
The investigation into the second OPM data breach has concluded, and investigators say attackers stole every background investigation form filed with the U.S. government since 2000.
The final tally includes 19.7 million background investigation applications and 1.8 million non-applicants, described mostly as "spouses or co-habitants" to applicants. This is all in addition to the 4.2 million records affected in the first OPM breach which occurred in December 2014.
According to OPM, the 21.5 million background information applications stolen included: Social Security numbers, residency history, employment and education history, as well as health, criminal, and financial history. Approximately 1.1 million applications also included fingerprint data.
The White House has not yet attributed the attacks to a specific individual, group, or national government, but has said it suspects Chinese hackers to be involved. FBI director James Comey said the government may bring charges against the hackers, and the director of the Department of Homeland Security, Jeh Johnson, said the White House is considering a "proportional" response.
Representatives in Congress have called for OPM director Katherine Archuleta to be fired and the White House supported for her, but the White House has confirmed Archuleta will resign effective Friday. President Obama has accepted her resignation and Beth Cobert, deputy director of management at the Office of Management and Budget, will replace Archuleta until a permanent replacement is found.
OPM said it will offer protections for those affected by the breach for three years. This will include identity theft insurance, identity restoration services, identity monitoring for minor children, continuous credit checking, and fraud monitoring services.
In order to prevent future breaches, OPM has also outlined a 15-step Cybersecurity Action Report aimed with improving security and modernizing systems. This includes implementing two-factor authentication, restricting remote access, deploying new security hardware and software, implementing continuous monitoring, and mandating security awareness training.