The OPM breach is looking worse than initially projected, with potentially every fed's information compromised. And the breach was discovered during a vendor's sales demonstration.
One week after news broke that the Office of Personnel Management had suffered a massive, long-running breach, another raft of reports revealed the breach may have been far worse than initially projected.
It's possible that the personal information of every single federal employee and retiree was exposed in a breach that was discovered accidentally -- and China is behind the whole thing, a senior lawmaker confirmed.
4 million, 7 million, 14 million, every last fed?
OPM first claimed roughly 4 million current and former feds may have had data exposed in the breach.
In later talks with unions, the Wall Street Journal reported, OPM broke down an exposure estimate: 2.1 million active feds, 1.1 million former government employees and 1 million retirees, for a total of 4.2 million.
But at least one union isn't buying it.
"Based on the sketchy data OPM has provided, we believe that the Central Personnel Data File was the targeted database, and that the hackers are now in possession of personnel data for every federal employee, every federal retiree, and up to one million former federal employees," J. David Cox, president of the American Federation of Government Employees, wrote in a blistering letter to OPM Director Katherine Archuleta.
OPM has declined to identify which networks were targeted. The Central Personnel Data File is a master index of government employee info, with 69 specific information points that include Social Security numbers and health and pay data.
Cox called the OPM breach an "abysmal failure" and noted the fact that personnel files were not individually encrypted -- "a cybersecurity failure that is absolutely indefensible and outrageous." He called for free lifetime credit monitoring for those affected.
While Cox's claim could push the number of affected individuals up to 7 million, others say it could be even higher.
Bloomberg reported that investigators believe the information of as many as 14 million people could have been exposed, though the government is still grappling with a final count.
OPM spokesman Samuel Schumach has said there's "no evidence" that security clearance background information -- highly sensitive material that could add contractors onto the list -- was exposed in the breach. OPM is responsible for some 90 percent of all federal background checks.
An accidental discovery?
In its initial June 4 announcement, released on the heels of an Associated Press article exposing the breach to the public, OPM said the breach's detection was the "result" of "an aggressive effort to update [OPM's] cybersecurity posture," and that "[t]he intrusion predated the adoption of the tougher security controls."
But there might have been more of an element of chance, rather than calculated security measures in the discovery: Investigators told the Wall Street Journal that the breach was detected during a sales pitch.
CyTech Services, a service-disabled veteran-owned small business based in Manassas, Va., put OPM's network through a diagnostics study as part of a sales demo and happened to uncover embedded malware, investigators told the Journal. A source speaking on condition of anonymity confirmed to FCW that OPM invited CyTech in to demonstrate its product in mid-April, and that the malware was detected at that time.
Chinese hackers to blame?
"The Chinese" are responsible for the OPM hack, Senate Minority Leader Harry Reid said June 11.
As the Associated Press noted, it's unclear whether Reid meant the Chinese government or semi-autonomous hackers, but as the Nevada Democrat is one of the lawmakers privy to the government's most high-level security briefings, his comment corroborates widespread suspicion of the hack's origin.