Officials detailed the timing of the two breaches and confirmed that they were executed by the same "actor."
In a call with reporters, OPM Director Katherine Archuleta said again that she would not resign over the security breaches.
A mere half-hour after releasing the long-awaited official estimate of how many people had been exposed in the massive background investigation breach -- 21.5 million, higher than some previous unofficial estimates -- the Office of Personnel Management hosted a conference call for media that shed a bit more light on the situation.
In the brief and carefully controlled call, OPM Director Katherine Archuleta said she would not resign over the breaches.
When the first reporter asked about congressional calls for her resignation, Archuleta repeated her stock speech about how she had inherited a flawed legacy system and has worked "aggressively" to improve OPM's cybersecurity.
The next reporter asked a similar question: Would Archuleta or OPM CIO Donna Seymour resign, and if not, why not?
"No," Archuleta said. "I am committed to the work that I am doing at OPM. I have trust in the staff, including Donna Seymour."
The timeline and numbers, clarified
"This was a challenging investigation," said Andy Ozment, assistant secretary of the Office of Cybersecurity and Communications at the Department of Homeland Security.
He told reporters that it appears both breaches -- the first of which exposed 4.2 million personnel files of current and former feds and the second of which affected millions of background investigations -- were conducted by the same actor moving between systems.
"Separate but related" was his description of the breaches.
Multiple members of Congress have named China as the culprit, but Ozment declined to identify the suspected actor.
Using compromised contractor credentials, hackers first accessed OPM systems, then breached an Interior Department database in which OPM personnel files were stored, Ozment said.
Hackers had access to OPM networks from May 2014 through April 2015, he said, but were most active from June 2014 to January 2015 on OPM systems and from October 2014 to April 2015 on Interior’s database, which was the source of the 4.2 million-record breach.
Although the Interior breach was discovered second, it was a less challenging investigation, while investigating the background check breach was “extremely complicated,” which is why it took so long to determine how many people were affected, Ozment said.
Archuleta pledged three years of credit monitoring and other support for the 21.5 million individuals affected by the background check breach.
According to OPM, 3.6 million of the 4.2 million people whose records were exposed in the personnel file breach were also affected by the background investigation breach, making the total number of those affected 22.1 million.
Those 3.6 million will receive three years of credit monitoring rather than the 18 months initially offered by OPM through contractor CSID, Archuleta said. She added that she did not yet know whether the remaining 600,000 affected only by the personnel file breach would receive expanded coverage.
Archuleta said credit monitoring might be added to the standard benefits package for federal employees.
The call was kept short, and only a handful of reporters were allowed to ask questions. At least two other reporters, including this one, attempted to ask questions but were cut off.
NEXT STORY: OPM: 21.5M impacted by background-check breach