OPM's 'Cyber Pearl Harbor' might affect 14 million

Shutterstock image (by fotogestoeber): virus infection spreading out in a network.

One week after news broke that the Office of Personnel Management had suffered a massive, long-running breach, another raft of reports revealed the breach may have been far worse than initially projected.

It's possible that the personal information of every single federal employee and retiree was exposed in a breach that was discovered accidentally -- and China is behind the whole thing, a senior lawmaker confirmed.

Lawmakers and pundits alike are sounding the alarm on a "cyber Pearl Harbor."

4 million, 7 million, 14 million, every last fed?

OPM first claimed roughly 4 million current and former feds may have had data exposed in the breach.

In later talks with unions, the Wall Street Journal reported, OPM broke down an exposure estimate: 2.1 million active feds, 1.1 million former government employees and 1 million retirees, for a total of 4.2 million.

But at least one union isn't buying it.

"Based on the sketchy data OPM has provided, we believe that the Central Personnel Data File was the targeted database, and that the hackers are now in possession of personnel data for every federal employee, every federal retiree, and up to one million former federal employees," J. David Cox, president of the American Federation of Government Employees, wrote in a blistering letter to OPM Director Katherine Archuleta.

OPM has declined to identify which networks were targeted. The Central Personnel Data File is a master index of government employee info, with 69 specific information points that include Social Security numbers and health and pay data.

Cox called the OPM breach an "abysmal failure" and noted the fact that personnel files were not individually encrypted -- "a cybersecurity failure that is absolutely indefensible and outrageous." He called for free lifetime credit monitoring for those affected.

While Cox's claim could push the number of affected individuals up to 7 million, others say it could be even higher.

Bloomberg reported that investigators believe the information of as many as 14 million people could have been exposed, though the government is still grappling with a final count.

OPM spokesman Samuel Schumach has said there's "no evidence" that security clearance background information -- highly sensitive material that could add contractors onto the list -- was exposed in the breach. OPM is responsible for some 90 percent of all federal background checks.

An accidental discovery?

In its initial June 4 announcement, released on the heels of an Associated Press article exposing the breach to the public, OPM said the breach's detection was the "result" of "an aggressive effort to update [OPM's] cybersecurity posture," and that "[t]he intrusion predated the adoption of the tougher security controls."

But there might have been more of an element of chance, rather than calculated security measures in the discovery: Investigators told the Wall Street Journal that the breach was detected during a sales pitch.

CyTech Services, a service-disabled veteran-owned small business based in Manassas, Va., put OPM's network through a diagnostics study as part of a sales demo and happened to uncover embedded malware, investigators told the Journal. A source speaking on condition of anonymity confirmed to FCW that OPM invited CyTech in to demonstrate its product in mid-April, and that the malware was detected at that time.

Chinese hackers to blame?

"The Chinese" are responsible for the OPM hack, Senate Minority Leader Harry Reid said June 11.

As the Associated Press noted, it's unclear whether Reid meant the Chinese government or semi-autonomous hackers, but as the Nevada Democrat is one of the lawmakers privy to the government's most high-level security briefings, his comment corroborates widespread suspicion of the hack's origin.

About the Author

Zach Noble is a staff writer covering digital citizen services, workforce issues and a range of civilian federal agencies.

Before joining FCW in 2015, Noble served as assistant editor at the viral news site TheBlaze, where he wrote a mix of business, political and breaking news stories and managed weekend news coverage. He has also written for online and print publications including The Washington Free Beacon, The Santa Barbara News-Press, The Federalist and Washington Technology.

Noble is a graduate of Saint Vincent College, where he studied English, economics and mathematics.

Click here for previous articles by Noble, or connect with him on Twitter: @thezachnoble.


  • FCW Perspectives
    human machine interface

    Your agency isn’t ready for AI

    To truly take advantage, government must retool both its data and its infrastructure.

  • Cybersecurity
    secure network (bluebay/

    Federal CISO floats potential for new supply chain regs

    The federal government's top IT security chief and canvassed industry for feedback on how to shape new rules of the road for federal acquisition and procurement.

  • People
    DHS Secretary Kirstjen Nielsen, shown here at her Nov. 8, 2017, confirmation hearing. DHS Photo by Jetta Disco

    DHS chief Nielsen resigns

    Kirstjen Nielsen, the first Homeland Security secretary with a background in cybersecurity, is being replaced on an acting basis by the Customs and Border Protection chief. Her last day is April 10.

Stay Connected


Sign up for our newsletter.

I agree to this site's Privacy Policy.