This story was last updated at 10:04 a.m. (EST) on June 5, 2015.
The Office of Personnel Management will notify 4 million former and current federal employees that their personally identifiable information (PII) may have been compromised by a major cyber-intrusion of its information technology systems.
OPM said it will send email notifications to those affected from June 8-19. The email will come from email@example.com. If OPM doesn’t have an email address on file, it says it will send a standard letter in the mail. The notification will also contain information on free credit monitoring services the government will offer to all individuals impacted.
OPM is working with the Homeland Security Department’s Computer Emergency Readiness Team (US-CERT) and the FBI to assess the scope of the attack, which occurred in April.
Insight by Splunk: Explore how data is the glue that will hold JADC2 together by downloading this exclusive ebook
A U.S. official, who declined to be named because he was not authorized to publicly discuss the data breach, told the Associated Press the breach could potentially affect every federal agency. One key question is whether intelligence agency employee information was stolen.
The Office of Personnel Management conducts more than 90 percent of federal background investigations, according to its website.
Sen. Susan Collins (R-Maine), a member of the Senate intelligence committee, told the Associated Press the hackers were believed to be based in China. She said the breach was “yet another indication of a foreign power probing successfully and focusing on what appears to be data that would identify people with security clearances.”
The Chinese Foreign Ministry responded Friday by saying such claims are unproven and irresponsible, and that it wishes the United States would trust it more.
“We know that hacker attacks are conducted anonymously, across nations, and that it is hard to track the source,” said Hong Lei, a spokesman for the ministry. “It’s irresponsible and unscientific to make conjectural, trumped-up allegations without deep investigation.”
Beijing routinely dismisses any allegation of its official involvement in cyberattacks on foreign targets, while invariably noting that China is itself the target of hacking attacks.
The Department of Homeland Security said in a statement that data from the Interior Department had also been compromised.
OPM detected the intrusion of its cyber system using a comprehensive network monitoring plan developed with DHS.
“Using these newly identified cyber indicators, DHS’s United States-Computer Emergency Readiness Team (US-CERT) used the EINSTEIN system to discover a potential compromise of federal PII,” a DHS spokesperson said. “Working with the affected agency and other inter-agency partners, US-CERT cyber incident response teams were deployed to identify the scope of the potential intrusion and mitigate any risks identified. Based upon these response activities, DHS concluded at the beginning of May 2015 that OPM data had been compromised.”
It was unclear why the EINSTEIN system didn’t detect the breach until after so many records had been copied and removed.
“DHS is continuing to monitor federal networks for any suspicious activity and is working aggressively with the affected agencies to conduct investigative analysis to assess the extent of this alleged intrusion,” the statement said.
FBI is investigating how and why the incident occurred and DHS is continuing to monitor federal networks, looking for any suspicious activity.
“Since the intrusion, OPM has instituted additional network security precautions, including: restricting remote access for network administrators and restricting network administration functions remotely; a review of all connections to ensure that only legitimate business connections have access to the internet; and deploying anti-malware software across the environment to protect and prevent the deployment or execution of tools that could compromise the network,” OPM said, in a release.
Cybersecurity expert Morgan Wright of the Center for Digital Government, an advisory institute, said EINSTEIN “certainly appears to be a failure at this point. The government would be better off outsourcing their security to the private sector where’s there at least some accountability.”
Due to the ongoing nature of the investigation, more PII exposures may be revealed. OPM said it will notify individuals if that is the case. To mitigate the risk of fraud or identity theft, OPM is offering identity theft insurance, credit monitoring and credit report access to those who may have been impacted.
“Protecting our Federal employee data from malicious cyber incidents is of the highest priorities at OPM,” said OPM Director Katherine Archuleta. “We take very seriously our responsibility to secure the information stored in our systems, and in coordination with our agency partners, our experienced team is constantly identifying opportunities to further protect the data with which we are entrusted.”
Concern grows over latest cyber attack
Sen. Richard Burr, chairman of the Senate Select Committee on Intelligence, issued a statement saying that the OPM breach demonstrated that cybersecurity must be a top priority for the government.
“Every day, these attacks are getting more technically advanced and now another agency has been compromised,” he said. “We cannot continue to look the other direction. Our response to these attacks can no longer simply be notifying people after their personal information has been stolen; we must start to prevent these breaches in the first place.”
Sen. Ron Johnson (R-Wis.), chairman of the Senate Homeland Security and Governmental Affairs Committee, said the data breach at OPM demonstrates how agencies are vulnerable to cyber threats.
“It is disturbing to learn that hackers could have sensitive personal information on a huge number of current and former federal employees,” Johnson said. “It is even more troubling that this is only the latest in a series of cyberattacks on the Office of Personnel Management. OPM says it ‘has undertaken an aggressive effort to update its cybersecurity posture.’ Plainly, it must do a better job, especially given the sensitive nature of the information it holds.”
J. David Cox Sr., national president of the American Federation of Government Employees, said in a statement that the breach affected 2.1 million current federal employees and 2 million federal retirees and former feds, adding that the attack targeted personnel records.
“AFGE is working closely with the administration to determine the extent of the breach and explore ways to remediate it,” Cox said in a statement. “We will work with the administration to ensure that all available measures be taken to secure the personal information of all affected employees, and that these measures be implemented as soon as possible. AFGE will demand accountability and will take every necessary step to see that the interests and security of the nearly 700,000 people we represent are addressed.”
Rep. Gerry Connolly (D-Va.) called for greater cybersecurity at federal agencies.
“While improvements have been made to protect federal government computer systems from such cyber attacks, this latest breach is one more reason federal agencies must continue to implement more proactive cybersecurity measures. Such measures should include aggressive implementation of the Federal Information Security Modernization Act (FISMA), which requires the government to universally adopt precisely the type of proactive measures that detected this most recent data breach,” Connolly said.
Colleen Kelley, president of the National Treasury Employees Union, released a statement expressing concern about the breach and the range of employee data that OPM keeps.
“It is vital to know as soon as possible the extent to which, if any, personal information may have been obtained so that affected employees can be notified promptly and encouraged to take all possible steps to protect themselves from financial or other risks,” Kelley said in the statement.
This isn’t the first time OPM has had to notify federal employees that their PII may have been exposed by a cyber breach.
Last December, OPM announced that “out of an abundance of caution” it was notifying 48,439 federal employees that their PII data may have been exposed due to a compromised computer network at KeyPoint Government Solutions, the largest private provider of background check services for the federal government.
“Today’s reported breach is part of a troubling pattern by this agency in failing to secure the personal data of federal employees – the second major breach in a year,” Sen. Mark Warner (D-Va.), member of the Senate Select Committee on Intelligence, said in a statement. “Cyber attacks present a critical threat to our national security and our economy. We cannot afford to keep dragging our feet in addressing the escalating threats posed by hackers out to steal individuals’ personal information.”
In January, also OPM experienced a security glitch in its retirement services portal, which let some users log in and access other retirees’ personal information.
“Although this breach may not have been the result of a cyber attack, it still demonstrates the challenges faced by federal agencies and private sector organizations in safeguarding personally identifiable information,” said Rep. Elijah Cummings (D-Md.), at the time.
On the current OPM breach, Cummings released a statement: “The number and frequency of cyber attacks on our nation continue to grow at an alarming rate, both against government and private sector targets. It is critical to ensure that businesses and federal agencies identify and implement cutting-edge safeguards to combat these increasingly sophisticated attackers.”
The following guidance for those impacted is taken directly from OPM:
Steps for Monitoring Your Identity and Financial Information:
How to avoid being a victim:
The Associated Press contributed to this story.