The personal information of more than 21 million was compromised in a breach that affected a database of sensitive information on federal employees held by the Office of Personnel Management, two congressional sources have told National Journal.
That number is in addition to the 4.2 million social security numbers that were compromised in another data breach at OPM that was made public in June.
The personnel agency will announce the size of the breach Thursday afternoon, according to multiple congressional sources with knowledge of the issue.
The second data breach, which officials have privately linked to China, affected 21.5 million federal employees and began in May 2014, according to OPM Director Katherine Archuleta's testimony before Congress. It was not discovered until April 2015.
A security update applied by OPM and the Department of Homeland Security in January 2015 ended the bulk of the data extraction, according to congressional testimony from Andy Ozment, assistant secretary for cybersecurity and communications at DHS, even though the breach would not be discovered for months.
News of the second intrusion was first reported in June and was described as a potentially devastating heist of government data, as hackers seized extensive security-clearance information intelligence and military personnel. OPM said at the time that it became aware of the second hack while investigating the smaller breach that affected 4.2 million, which was disclosed earlier in June.
The Social Security numbers lost in the breach announced Thursday include those of federal workers' spouses and children, according to one source.
The size of the breach exceeds most of the estimates previously reported in various media outlets, including CNN, which said last month that the FBI believed 18 million people had been affected by the hack.
On Wednesday, FBI Director James Comey refused to provide a specific number when asked by members of the Senate Intelligence Committee about the size of the breach. Comey did say the hack was "enormous," however, and confirmed that his own data had been compromised.