The government’s apparent explanation for the wildly disparate reports is that they counted the breach as two hacks, the larger of which they considered to be a “separate but related” issue that was still “under investigation” at the time. Via ABC:
At the time, OPM only disclosed that the personnel records of 4.2 million current and former federal employees had been compromised.
But there was little doubt — at least privately –- that the universe of victims was vastly bigger because the hackers had access to far more than personnel records, including files associated with background investigations and information on government workers’ families.
In fact, the hackers allegedly rummaged through various OPM databases for more than a year — and lawmakers and U.S. officials alike have described the breach as a significant threat to national security.
It’s still unclear how many Americans were actually affected (most reports cite anonymous sources) but Politico says it’s actually more like 21.5 million because some identities were essentially hacked twice. Either way, it’s clear the government drastically underreported the extent of the damage.
And it wasn’t just basic information—the hackers got away with highly sensitive documents that include “military records and veterans’ status information, address, birth date, job and pay history, health insurance, life insurance, and pension information; age, gender, race data,” plus reportedly unencrypted social security numbers.