CNN broke news Tuesday that the cyber attack on the Office of Personnel Management (OPM) may be worse than original reports. U.S. officials briefed on the investigation say the security breach affects 18 million current, former and prospective federal employees, which is more than four times the 4.2 million the OPM has acknowledged. It is possible the 18 million estimate may grow larger because the personal data of people who applied for government jobs, but never worked for the government, may also have been leaked.
The Obama administration announced the security breach on June 4 and that 4.2 million federal employee records stored at the OPM may have been compromised. The data leak had gone on for some time, possibly months, and among the stolen data was personal, private information collected for security clearance purposes. A week later the President said that a second, separate breach of the OPM’s computer system had been found, which likely originated from the same hackers.
U.S. investigators suspect a Chinese group was involved in the attack, which may have been affiliated with the government. Forensic experts believe the attack on the OPM was similar to attacks earlier this year at health insurance companies Anthem and Premera Blue Cross, which may have breached as many as 80 million member records.
U.S. officials believe the breach could be the biggest ever of the government’s computer networks and may involve past and current federal workers at nearly every agency. Congressional leaders have initiated questioning of the OPM to understand how the agency could have kept personnel data in an nonsecure, unencrypted form.
At a House oversight panel, Office of Personnel’s Management Director Katherine Archuleta received tough questions about lax security practices. Representative Stephen Lynch, (D-Mass.), said “I wish that you were as strenuous and hardworking at keeping information out of the hands of hacker as are at keeping information out of the hands of Congress” when Archueta did not give a direct answer about actions to not encrypt confidential personal data.
