Cybersecurity

OPM's 'Cyber Pearl Harbor' might affect 14 million

Shutterstock image (by fotogestoeber): virus infection spreading out in a network.

One week after news broke that the Office of Personnel Management had suffered a massive, long-running breach, another raft of reports revealed the breach may have been far worse than initially projected.

It's possible that the personal information of every single federal employee and retiree was exposed in a breach that was discovered accidentally -- and China is behind the whole thing, a senior lawmaker confirmed.

Lawmakers and pundits alike are sounding the alarm on a "cyber Pearl Harbor."

4 million, 7 million, 14 million, every last fed?

OPM first claimed roughly 4 million current and former feds may have had data exposed in the breach.

In later talks with unions, the Wall Street Journal reported, OPM broke down an exposure estimate: 2.1 million active feds, 1.1 million former government employees and 1 million retirees, for a total of 4.2 million.

But at least one union isn't buying it.

"Based on the sketchy data OPM has provided, we believe that the Central Personnel Data File was the targeted database, and that the hackers are now in possession of personnel data for every federal employee, every federal retiree, and up to one million former federal employees," J. David Cox, president of the American Federation of Government Employees, wrote in a blistering letter to OPM Director Katherine Archuleta.

OPM has declined to identify which networks were targeted. The Central Personnel Data File is a master index of government employee info, with 69 specific information points that include Social Security numbers and health and pay data.

Cox called the OPM breach an "abysmal failure" and noted the fact that personnel files were not individually encrypted -- "a cybersecurity failure that is absolutely indefensible and outrageous." He called for free lifetime credit monitoring for those affected.

While Cox's claim could push the number of affected individuals up to 7 million, others say it could be even higher.

Bloomberg reported that investigators believe the information of as many as 14 million people could have been exposed, though the government is still grappling with a final count.

OPM spokesman Samuel Schumach has said there's "no evidence" that security clearance background information -- highly sensitive material that could add contractors onto the list -- was exposed in the breach. OPM is responsible for some 90 percent of all federal background checks.

An accidental discovery?

In its initial June 4 announcement, released on the heels of an Associated Press article exposing the breach to the public, OPM said the breach's detection was the "result" of "an aggressive effort to update [OPM's] cybersecurity posture," and that "[t]he intrusion predated the adoption of the tougher security controls."

But there might have been more of an element of chance, rather than calculated security measures in the discovery: Investigators told the Wall Street Journal that the breach was detected during a sales pitch.

CyTech Services, a service-disabled veteran-owned small business based in Manassas, Va., put OPM's network through a diagnostics study as part of a sales demo and happened to uncover embedded malware, investigators told the Journal. A source speaking on condition of anonymity confirmed to FCW that OPM invited CyTech in to demonstrate its product in mid-April, and that the malware was detected at that time.

Chinese hackers to blame?

"The Chinese" are responsible for the OPM hack, Senate Minority Leader Harry Reid said June 11.

As the Associated Press noted, it's unclear whether Reid meant the Chinese government or semi-autonomous hackers, but as the Nevada Democrat is one of the lawmakers privy to the government's most high-level security briefings, his comment corroborates widespread suspicion of the hack's origin.

About the Author

Zach Noble is a staff writer covering digital citizen services, workforce issues and a range of civilian federal agencies.

Before joining FCW in 2015, Noble served as assistant editor at the viral news site TheBlaze, where he wrote a mix of business, political and breaking news stories and managed weekend news coverage. He has also written for online and print publications including The Washington Free Beacon, The Santa Barbara News-Press, The Federalist and Washington Technology.

Noble is a graduate of Saint Vincent College, where he studied English, economics and mathematics.

Click here for previous articles by Noble, or connect with him on Twitter: @thezachnoble.


Featured

  • Cybersecurity

    DHS floats 'collective defense' model for cybersecurity

    Homeland Security Secretary Kirstjen Nielsen wants her department to have a more direct role in defending the private sector and critical infrastructure entities from cyberthreats.

  • Defense
    Defense Secretary James Mattis testifies at an April 12 hearing of the House Armed Services Committee.

    Mattis: Cloud deal not tailored for Amazon

    On Capitol Hill, Defense Secretary Jim Mattis sought to quell "rumors" that the Pentagon's planned single-award cloud acquisition was designed with Amazon Web Services in mind.

  • Census
    shutterstock image

    2020 Census to include citizenship question

    The Department of Commerce is breaking with recent practice and restoring a question about respondent citizenship last used in 1950, despite being urged not to by former Census directors and outside experts.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.