Chinese hackers stole the personal information of 4.1 million current and former federal employees in one of the largest-ever breaches of a U.S. government computer network, federal officials revealed Thursday.
One federal official cautioned that it’s still unclear if the breach was the work of state-sponsored hackers or criminals from the Chinese underworld — let alone what they intend to do with the stolen data, which included names, addresses, financial information and possibly Social Security numbers. But a former cybersecurity official in the Obama White House said the breach was “more likely to have been a criminal act,” aimed at enabling crimes like online payments fraud, as opposed to launching attacks against U.S. national security.
“That is the most likely reason that someone would want this type of data,” said Rob Knake, who served on the National Security Council staff until earlier this year. “It’s of very limited value within the intelligence community. … It doesn’t make sense to me that a state intelligence agency would want to deploy resources to get the Social Security number of clerks at the Commerce Department.”
Still, the implications for the security of federal computer networks are unsettling. This marks the third or fourth known hack of federal personnel data in approximately a year, including an attack in August that officials attributed to the Chinese government.
The Office of Personnel Management said Thursday that it had detected the latest intrusion into its systems in April. The Department of Homeland Security said its US-CERT team concluded in May that OPM data had been compromised.
OPM said it has since adopted tougher security controls that include restricting remote access, reviewing its connections to the Internet and deploying anti-malware software. But Sen. Mark Warner (D-Va.) said in a statement Thursday night that the office clearly has not been doing enough.
“Today’s reported breach is part of a troubling pattern by this agency in failing to secure the personal data of federal employees — the second major breach in a year,” said Warner, a member of the Senate Select Committee on Intelligence. “Cyberattacks present a critical threat to our national security and our economy. We cannot afford to keep dragging our feet in addressing the escalating threats posed by hackers out to steal individuals’ personal information.”
One federal official confirmed reports that investigators had traced the attackers to China, but said he didn’t know whether they were state-sponsored or not.
“China is not a monolith,” the official said. “There are many different things that can be Chinese. You may be seeing something where we’re not going to be pointing the finger [in public], because we don’t have an indictment to lay down.”
“It could be that some underworld actors are being contracted by government actor,” the official added.
The hacked database is the Central Personnel Data System File, a repository for personal information for the entire federal workforce of 2 million and for just more than 2 million federal retirees and other former employees, officials from the American Federation of Government Employees said.
“We’ve been told that they got the whole personnel data central file,” said Jacqueline Simon, the AFGE’s public policy director.
The data includes names, addresses, pay grades, records of personnel actions such as reprimands, and pension, insurance and health plan details. Social Security numbers in the database should have been masked or encrypted if the agency was using best information security practices, union spokesman Tim Kauffman said.
OPM did not immediately respond to clarification questions. The agency will offer free credit monitoring, identity theft insurance and recovery services to affected employees. The FBI said it will “hold accountable those who pose a threat in cyberspace.”
The OPM database is hosted by the Interior Department, which sells at cost through its Interior Business Center information technology services to other federal agencies.
The information stolen about federal workers could be useful to hackers — state-sponsored or otherwise — for targeted attacks known as “spear-phishing,” in which a malicious email allowing a hacker to penetrate a computer system appears to come from a trusted source.
Knake cautioned against jumping to the conclusion that it was state-sponsored, noting that much of the information necessary for a good spear-phishing attack has already been leaked or stolen online.
This isn’t the first time hackers have targeted federal employees’ records.
An OPM contractor, government background-check firm USIS, was breached in an attack attributed to the Chinese government in August that compromised the personal information of more than 27,000 employees. A hack at another OPM contractor, KeyPoint Government Solutions, may have exposed the data of more than 48,000 employees in December. OPM itself was breached in March 2014 by hackers that appeared to target files of employees who applied for top-secret security clearances.
OPM has come under criticism for lax security practices, a perception that its agency Chief Information Office Donna Seymour sought to assuage during an April hearing of the House Oversight and Government Reform Committee.
“In an average month, OPM thwarts almost 2.5 billion confirmed attempts to hack its network,” Seymour told the committee. “These attacks will not stop. If anything, they will increase.”