U.S. Says Hackers Accessed Data of 4 Million Federal Workers

U.S. Office of Personnel Management (OPM) Breach Exposes 4 Million Federal Employees

The US government warned on Thursday that hackers may have accessed the personal data of roughly four million federal employees.

On Thursday afternoon, The U.S. Office of Personnel Management (OPM) said that it identified a “cybersecurity incident” in April 2015 that potentially exposed personnel data of upwards of 4 million current and former federal employees, including personally identifiable information (PII).

As a result, OPM said it would send notifications to the millions of individuals whose PII may have been compromised in the attack.

“Within the last year, the OPM has undertaken an aggressive effort to update its cybersecurity posture, adding numerous tools and capabilities to its network,” an OPM statement said. “As a result, in April 2015, OPM detected a cyber-intrusion affecting its information technology (IT) systems and data. The intrusion predated the adoption of the tougher security controls.”

The OPM said that it working with the US-CERT and the FBI to determine the full impact of the breach.

OPM did not publically attribute the attack to a specific source, but some reports say Chinese hackers may be responsible.

“OPM continues to improve security for the sensitive information it manages and evaluates its IT security protocols on a continuous basis to protect sensitive data to the greatest extent possible. Since the intrusion, OPM has instituted additional network security precautions, including: restricting remote access for network administrators and restricting network administration functions remotely; a review of all connections to ensure that only legitimate business connections have access to the internet; and deploying anti-malware software across the environment to protect and prevent the deployment or execution of tools that could compromise the network.

OPM is offering credit report access, credit monitoring and identify theft insurance and recovery services to potentially affected individuals.

“There is a general notion that government agencies unilaterally have their act together when it comes to protecting their information assets; this is fundamentally false,” Jay Kaplan, CEO of Synack and former NSA analyst, told SecurityWeek. “Government agencies have just as much trouble protecting sensitive data as the largest corporations in the world.”

“OPM data is extremely sensitive — from an operational security perspective, the government takes the confidentiality of their employees extremely seriously,” Kaplan added. “If the reports are true, this is a massive problem that could put key government employees that wish to remain anonymous at risk. State governments are and will continue to be the most difficult threats to protect against — current defenses on unclassified networks are not match for well funded and highly motivated actors.” 

In Aug. 2014, US Investigations Services (USIS), a Department of Homeland Security (DHS) contractor that conducts background checks for the agency, was the target of a cyberattack that appeared to have been launched by a state-sponsored entity.

*Updated with commentary