Cybersecurity

Up to 14 million exposed in federal hack

A massive hack of the federal government may have compromised personal information belonging to 9 million to 14 million people, far more than was initially believed.
 
Multiple sources on Capitol Hill, within the federal workforce and around Washington have estimated that the final tally of people affected by the hack could easily eclipse the 4 million reported by the Obama administration. 
 
Already, the theft of data from the Office of Personnel Management (OPM) is the largest data breach ever at the federal government. With an increase in the scope of the attack — which officials, speaking privately, have traced back to China — the Obama administration’s response will face further scrutiny and more questions about the state of the nation’s digital security.
 
“I have heard from unattributed sources that this attack was much larger than originally reported,” Senate Armed Services Committee Chairman John McCain (R-Ariz.) said on Thursday.
 
The OPM announced last week that hackers had pilfered 4 million federal workers’ records over a period of at least four months before they were caught. The stolen data includes information about current and former employees’ background checks, which could be a veritable gold mine for foreign governments looking to recruit spies or blackmail Americans.
 
“It’s a treasure trove,” Sen. Susan Collins (R-Maine) said earlier this week.
 
It’s unclear whether the larger number would include contractors’ data held by the government, or friends and family members of people who underwent background checks for the government.

On Thursday, the head of the American Federation of Government Employees, the largest federal employee’s union, declared that hackers stole data about each and every one of the 4.2 million federal workers, as well as every retiree and up to a million former federal employees. Hackers stole information their health and life insurance plans, military records, Social Security numbers and other personal data, union president J. David Cox wrote.

Those Social Security numbers were not encrypted, he added, a glaring security oversight that Cox called “absolutely indefensible and outrageous.”

The union letter was first reported by The Associated Press.
 
Officials at the OPM as well as the Department of Homeland Security (DHS) declined on Thursday to respond to the possible scope of the breach.
 
“We do not have any further guidance as this is still an ongoing investigation,” an OPM representative said.
 
The House Oversight and Government Reform Committee is scheduled to hold a hearing on the breach next Tuesday.

Some Republicans have expressed frustration with the amount of information provided by the Obama administration.
 
“They’re just not taking the security problems seriously enough and addressing them,” Senate Homeland Security Committee Chairman Ron Johnson (R-Wis.) said on Thursday.
 
Top officials from the OPM as well as the DHS and the Office of the Director of National Intelligence briefed House lawmakers on Tuesday.
 
“I don’t think we can say with any kind of certainty that anyone is beyond impact here,” Rep. Adam Schiff (Calif.), the top Democrat on the House Intelligence Committee, said upon exiting that meeting.
 
“I think any time you talk about the personnel files involving potentially 4 million current and former federal employees, it’s hard to see where it stops in terms of several degrees of separation, because obviously others may be mentioned in those personnel files,” he added.

This story was updated at 5:20 p.m.