Hackers stole Social Security numbers of every current and retired federal employee

According to a report by the Associated Press, the recently revealed hack of the Office of Personnel Management’s computer systems may have affected every employee in the federal government.

In a letter from the to OPM Director Katherine Archuleta obtained by the AP, American Federal of Government Employees President J. David Cox wrote that hackers had stolen the personal information on every single federal employee and retiree—including Social Security numbers.

Other information compromised included names, birth dates, military records, health insurance, and pension information. “We believe that Social Security numbers were not encrypted, a cybersecurity failure that is absolutely indefensible and outrageous,” Cox wrote in the letter.

While OPM, which essentially functions as the federal government’s human resources department, has stated they had detected evidence of the security breach in April, unnamed government sources told ABC News that the attack had gone on undetected for more than a year.

ABC reports that much of the stolen information was the result of hackers gaining access to employees’ SF-86 forms, which are used to complete background checks for granting security clearance and contain extensive amounts of information about employees and their families.

“If the SF-86s associated with this hack were, in their entirety, part of the stolen information, then that would mean the potential release of a staggering amount of information, affecting an exponential amount of people,” an official told ABC.

The government has officially been mum on the source of the hack. However, some, like Sen. Susan Collins (R–Maine) have pointed the finger at the Chinese government. “[This cyberattack is] yet another indication of a foreign power probing successfully and focusing on what appears to be data that would identify people with security clearances,” Collins told the Guardian.

OPM officials have said they will be offering everyone affected by the breach 18 months of free credit monitoring. The Federal Trade Commission has also posted a set of guidelines for the government workers affected by the hack to keep themselves safe form identity theft.

With the type of information that was compromised, it’s possible for hackers to do everything from opening new lines of credit, loans, or fraudulently obtaining medical care to filing fake tax returns in the victim’s name and collecting the refund.

“As far as the length of time that credit monitoring is being offered, 18 months is certainly a good start,” said Eva Velasquez, the president of the Identity Theft Resource Center. “Unfortunately identity theft can occur long after the information has been compromised so it will be up to the individuals to continue to be vigilant and take advantage of free resources (such as the ITRC and FTC) when the service expires.”

Update 6:26pm CT, June 11: The story has been updated to more accurately reflect the initial assumptions about the size of the hack. 

Editor’s Note: This article has been updated to provide additional clarity and context.

Photo via Sonel/pixabay (public domain)

Aaron Sankin

Aaron Sankin

Aaron Sankin is a former Senior Staff Writer at the Daily Dot who covered the intersection of politics, technology, online privacy, Twitter bots, and the role of dank memes in popular culture. He lives in Seattle, Washington. He joined the Center for Investigative Reporting in 2016.