The Obama administration announced late Thursday that a cyberattack on the Office of Personnel Management (OPM) had exposed the personal information of up to four million current and former federal employees. The attack is believed to be the largest ever breach of the government’s computer systems.
OPM handles human resources for the entire federal government. The hackers are believed to stolen names, birthdates, and Social Security numbers, although the SSNs are likely encrypted. While OPM also handles highly sensitive security clearances, officials told NBC News that they don’t believe any CIA covert identities have been compromised.
OPM first discovered evidence of the breach in April.
Anonymous U.S officials told the Washington Post that they believed that the attack originated in China, and while they suggested it was state-sponsored, there is no evidence yet to support that claim.
Texas-based cybersecurity firm iSight Partners said that the hackers behind the OPM hack were also likely responsible for the theft of millions of patient records from healthcare giant Anthem Blue Cross. The company tied the two incidents together based on the similarities in the techniques used.
Chinese officials insisted to CNN that the county’s government had nothing to do with the attack.
“Cyberattacks conducted across countries are hard to track, and therefore the source of attacks is difficult to identify,” said Zhu Haiquan, a spokesperson for the Chinese embassy in Washington, D.C. “Jumping to conclusions and making hypothetical accusation is not responsible and counterproductive.”
The OPM breach wouldn’t be the first time that China notorious hackers allegedly broken into the agency’s computer systems. In March 2014, hackers apparently traced to China were found to have targeted OPM computer systems containing information about the federal employees who had applied for top-secret security clearances.
OPM will be sending out notifications to everyone whose information was compromised on Monday. The agency will also provide free credit-monitoring and identity-theft insurance-and-recovery services to victims for 18 months.
“Protecting our federal employee data from malicious cyber incidents is of the highest priority at OPM,” Katherine Archuleta, the office’s director, said in a statement. “We take very seriously our responsibility to secure the information stored in our systems, and in coordination with our agency partners, our experienced team is constantly identifying opportunities to further protect the data with which we are entrusted.”
The Federal Trade Commission has posted a set of guidelines for affected government employees. The FTC urged victims to check their credit report for unfamiliar transactions on annualcreditreport.com and to place a fraud alert on their credit reports. OPM’s letters to theft victims will include a list of what information was exposed for each employee.
The attack on OPM is the second high-profile hack on U.S. government computers in recent weeks. Late last month, the Internal Revenue Service announced that hackers had taken advantage of a weakness in an application on the agency’s website to steal the personal information of over 100,000 American taxpayers.
While cyberattacks against the U.S. make the news with some regularity—like when Russian hackers compromised White House computers—virtual assaults against government systems are a daily occurrence. CNN estimated that there were nearly 61,000 cyberattacks and security breaches directed at government computers in 2014 alone.
Photo via Colin/Wikimedia Commons (CC BY SA 4.0)