The data breach that recently hit the US government's Office of Personnel Management, in which personnel records for millions of federal workers were swiped, is worse than first feared, sources claim.
According to new reports that emerged on Thursday, the attack was active for more than a year and the pilfered information included detailed personal information on what may be every federal employee, in addition to lists of their foreign contacts.
Were the hackers going after Americans with personal links to China?
Citing information leaked from classified briefings, The New York Times reports that the hackers – who are believed to be based in China – built a database of intelligence on prominent US officials including diplomats, nuclear experts, White House staffers, and trade officials.
Among that information were lists of foreign contacts, which US government employees are required to disclose when applying for security clearance passes.
Those contacts would include relatives, friends, and associates in mainland China. And US intelligence officials now worry that if that information is in the hands of the Chinese government, it could be used for blackmail or retaliation. What's more, it could spell trouble for people in China who may have concealed their relationships with American officials.
The NYT report goes on to note that most of the pilfered data was not encrypted, adding credence to criticism that OPM was woefully unprepared to face any sort of security intrusion. Previous government audits slammed the agency for failing to provide so much as an inventory of its IT systems.
In the system for more than a year
It should come as no surprise, then, that the hackers enjoyed a lengthy stay in the OPM network before they were detected. ABC News reports that the hackers harvested data from various segments of OPM's records database for more than a year, including forms filled out by federal employees seeking security clearances.
How high up did the breach go? Another ABC News report cites government sources who believe that top Obama administration officials were among the targets, including current and former cabinet members.
"If [only] they knew the full extent of it," an unnamed official was quoted as saying.
Chapter and verse on the lives of millions
The full extent appears to be dire. A report by the Associated Press cites correspondence between the OPM and the American Federal of Government Employees, a public sector union, which fears that every federal employee may have been compromised in the breach. Sources told the AP that the data includes "military records and veterans' status information, address, birth date, job and pay history, health insurance, life insurance, and pension information; age, gender, and race data."
On top of what will be a steep cost in lost intelligence and potential blackmail of government employees, the fallout from the attack carries with it a significant monetary cost.
NextGov points to a $20m deal that OPM has signed with The Winvale Group to provide notification, credit reports, and credit and identity monitoring to each of the current and former employees affected. Based on an estimate of 4 million accounts breached, that would add up to roughly five dollars per person.
Not surprisingly, other unions representing federal employees are less than enthused about the way the incident has been handled thus far. The Hill reports the National Federation of Federal Employees (NFFE) is expressing frustration with what it calls a lack of communication between OPM and the aggrieved workers.
"They cannot even get through to a live human to answer their questions," said NFFE president William Dougan. "Federal employees deserve better than this."
Discovered during a product demo
Finally, the Wall Street Journal has sources that claim the network breach was discovered when an IT security company called CyTech turned up to demonstrate its intrusion forensics software to federal staffers. A diagnostic check of the agency's computers turned up hidden malware, sparking further investigation. ®