The United States Office of Personnel Management (“OPM”) disclosed that it was the target of what has been described as the largest breach in U.S. government history, affecting the personal information of up to 14 million current and former federal employees, a far higher figure than the 4 million the agency initially disclosed. Officials believe that the intrusion originated in China and suspect that it was state sponsored, claims that the Chinese government has steadfastly denied. The stolen personnel records would provide a foreign government with a means to blackmail, impersonate or otherwise exploit those affected in an effort to gain access to U.S. secrets or entry into government computer networks. The American Federation of Government Employees believes the hackers stole Social Security numbers, military records and veterans’ status information, addresses, birth dates, job and pay histories; health insurance, life insurance and pension information; and age, gender and race data.
Officials also discovered that deeply personal information submitted by U.S. intelligence and military personnel for security clearances—mental illnesses, drug and alcohol use, past arrests, bankruptcies and more—is in the hands of hackers also linked to China. Officials say the hack into the security clearance database was separate from the breach of federal personnel data announced last week and that it was unclear whether the security database breach happened when OPM’s computer networks were breached in 2013, an attack that was discovered in July 2014.
The recent breach comes only a few months after OPM’s Office of the Inspector General harshly criticized OPM for its lax security in a November 2014 report on the agency’s compliance with the Federal Information Management Act. The report found “significant” deficiencies in OPM’s IT security program. Specifically, it noted OPM’s lack of encryption and the agency’s failure to tract its equipment. It also found that OPM failed to maintain an inventory list of its servers and databases and did not even know all the systems that were connected to its networks. OPM also failed to use multi-factor authentication for workers accessing the systems remotely from home or on the road.