As many as 32 million current and former government employees may have had their personal information stolen as a result of two data breaches on the US government human resources arm, according to a new estimate that's higher than any number reported until now.
The Office of Personnel Management (OPM) has yet to start notifying millions of government employees whose records relating to security clearance and background investigations were stolen, including some employees, such as undercover intelligence agents, whose lives might actually be in danger because the data could potentially expose their real identities.
OPM has even refused to estimate exactly how many federal employees and retirees were affected by this breach—which was discovered after a first breach that affected the personal data of 4.2 million people—because the investigation is still ongoing.
But a document filed by OPM's Director Katherine Archuleta earlier this year gives a hint to how many people could potentially have been affected by the breach.
"As a proprietor of sensitive data—including personally identifiable information for 32 million federal employees and retirees—OPM has an obligation to maintain contemporary and robust cybersecurity controls," Archuleta wrote in a budget request for the year 2016.
OPM doesn't even know how many people could be in danger.
On Wednesday, during a congressional hearing, Rep. Jason Chaffetz (R-Utah) pointed to this document, and asked Archuleta if that number could be considered the range of potential victims of the hacks. Archuleta, however, deflected the question.
"I'm not going to give you a number that I'm not sure of," Archuleta said.
Earlier in the hearing Archuleta referred to news reports saying that 18 million people could have been victims of the two breaches, saying that number "refers to a preliminary, unverified and approximate number of unique social security numbers in the background investigations data."
"It is a number I'm not comfortable with because it does not represent the total number of affected individuals," she added.
In other words, OPM doesn't know yet. Archuleta also added that the agency is still working to determine if people whose social security numbers were not stolen, but had other personal information exposed, "should be considered affected" by the breaches as well.
The number of victims "may well increase from these initial reports."
For these reasons, the number of victims "may well increase from these initial reports."
The type of data stolen in the second incident, the one affecting security clearance and background investigation, is highly sensitive. Joel Brenner, a former counterintelligence official who's also worked at the NSA, has described this data as a "gold mine." This data could help foreign spies unmask undercover American spies in the field in foreign countries, as well as identify their families, friends and foreign contacts.
For John Schindler, a security consultant and a former NSA counterintelligence officer, "this can be a matter of life or death."
And yet, for now, OPM doesn't even know how many people could be in danger.