OPM's 'Cyber Pearl Harbor' might affect 14 million

Shutterstock image (by fotogestoeber): virus infection spreading out in a network.

One week after news broke that the Office of Personnel Management had suffered a massive, long-running breach, another raft of reports revealed the breach may have been far worse than initially projected.

It's possible that the personal information of every single federal employee and retiree was exposed in a breach that was discovered accidentally -- and China is behind the whole thing, a senior lawmaker confirmed.

Lawmakers and pundits alike are sounding the alarm on a "cyber Pearl Harbor."

4 million, 7 million, 14 million, every last fed?

OPM first claimed roughly 4 million current and former feds may have had data exposed in the breach.

In later talks with unions, the Wall Street Journal reported, OPM broke down an exposure estimate: 2.1 million active feds, 1.1 million former government employees and 1 million retirees, for a total of 4.2 million.

But at least one union isn't buying it.

"Based on the sketchy data OPM has provided, we believe that the Central Personnel Data File was the targeted database, and that the hackers are now in possession of personnel data for every federal employee, every federal retiree, and up to one million former federal employees," J. David Cox, president of the American Federation of Government Employees, wrote in a blistering letter to OPM Director Katherine Archuleta.

OPM has declined to identify which networks were targeted. The Central Personnel Data File is a master index of government employee info, with 69 specific information points that include Social Security numbers and health and pay data.

Cox called the OPM breach an "abysmal failure" and noted the fact that personnel files were not individually encrypted -- "a cybersecurity failure that is absolutely indefensible and outrageous." He called for free lifetime credit monitoring for those affected.

While Cox's claim could push the number of affected individuals up to 7 million, others say it could be even higher.

Bloomberg reported that investigators believe the information of as many as 14 million people could have been exposed, though the government is still grappling with a final count.

OPM spokesman Samuel Schumach has said there's "no evidence" that security clearance background information -- highly sensitive material that could add contractors onto the list -- was exposed in the breach. OPM is responsible for some 90 percent of all federal background checks.

An accidental discovery?

In its initial June 4 announcement, released on the heels of an Associated Press article exposing the breach to the public, OPM said the breach's detection was the "result" of "an aggressive effort to update [OPM's] cybersecurity posture," and that "[t]he intrusion predated the adoption of the tougher security controls."

But there might have been more of an element of chance, rather than calculated security measures in the discovery: Investigators told the Wall Street Journal that the breach was detected during a sales pitch.

CyTech Services, a service-disabled veteran-owned small business based in Manassas, Va., put OPM's network through a diagnostics study as part of a sales demo and happened to uncover embedded malware, investigators told the Journal. A source speaking on condition of anonymity confirmed to FCW that OPM invited CyTech in to demonstrate its product in mid-April, and that the malware was detected at that time.

Chinese hackers to blame?

"The Chinese" are responsible for the OPM hack, Senate Minority Leader Harry Reid said June 11.

As the Associated Press noted, it's unclear whether Reid meant the Chinese government or semi-autonomous hackers, but as the Nevada Democrat is one of the lawmakers privy to the government's most high-level security briefings, his comment corroborates widespread suspicion of the hack's origin.

About the Author

Zach Noble is a staff writer covering digital citizen services, workforce issues and a range of civilian federal agencies.

Before joining FCW in 2015, Noble served as assistant editor at the viral news site TheBlaze, where he wrote a mix of business, political and breaking news stories and managed weekend news coverage. He has also written for online and print publications including The Washington Free Beacon, The Santa Barbara News-Press, The Federalist and Washington Technology.

Noble is a graduate of Saint Vincent College, where he studied English, economics and mathematics.

Click here for previous articles by Noble, or connect with him on Twitter: @thezachnoble.


  • Cybersecurity
    Shutterstock photo id 669226093 By Gorodenkoff

    The disinformation game

    The federal government is poised to bring new tools and strategies to bear in the fight against foreign-backed online disinformation campaigns, but how and when they choose to act could have ramifications on the U.S. political ecosystem.

    sensor network (agsandrew/

    Are agencies really ready for EIS?

    The telecom contract has the potential to reinvent IT infrastructure, but finding the bandwidth to take full advantage could prove difficult.

  • People
    Dave Powner, GAO

    Dave Powner audits the state of federal IT

    The GAO director of information technology issues is leaving government after 16 years. On his way out the door, Dave Powner details how far govtech has come in the past two decades and flags the most critical issues he sees facing federal IT leaders.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.