The U.S. government says it's concluded "with high confidence" that the Social Security numbers of 21.5 million people were stolen from government background investigation databases.
The Office of Personnel Management says that number includes 19.7 million individuals who applied for a background investigation and 1.8 million nonapplicants, who it says are primarily spouses and cohabitants of the applicants.
OPM says the 21.5 million records are in addition to the 4.2 million individual records it had originally identified as being stolen from its computers.
The two separate incidents, which were publicly revealed on June 4 and on June 12, mean the records of more than 25 million people have been stolen from OPM-managed databases, although there could be some overlap.
It was widely thought the numbers affected by the data breaches would grow, but the latest estimates go beyond even the most pessimistic estimates.
The government says people who had background checks through OPM starting in 2000 are "highly likely" to have been affected by the data breach. People who had checks prior to 2000 are "less likely" to have been affected.
The background checks contain "some information regarding mental health and financial history"; in addition, approximately 1.1 million of the records contain fingerprints.
Congressional critics have called for OPM director Katherine Archuleta to resign. House Oversight Committee Chairman Jason Chaffetz, R-Utah, said the "negligence" of Archuleta and OPM Chief Information Officer Donna Seymour "has now put the personal and sensitive information of 21.5 million Americans into the hands of our adversaries. Such incompetence is inexcusable."
The Obama administration has not publicly identified whom it suspects is behind the breach, but it's widely believed to be China.
Those whose background checks were stolen will be notified in the coming weeks, the OPM says. They will be offered at no charge full service identity restoration support and victim recovery assistance, along with identity theft insurance, identity monitoring for minor children and continuous credit monitoring "for a period of at least 3 years."