Chinese hackers got data on millions of U.S. federal workers, officials fear

Thank you for supporting our journalism. This article is available exclusively for our subscribers, who help fund our work at The Baltimore Sun.

Hackers based in China may have obtained personnel data on as many as 4 million federal employees in a large-scale cyberattack uncovered this spring, administration officials said Thursday.

Investigators discovered signs of the attack in April while updating security on government computers, senior administration officials said. The intrusion happened before the adoption of tougher security controls, officials said.


Since uncovering the breach, the federal Office of Personnel Management, which was targeted in the attack, has been working to lock down its system, restricting remote access for network administrators and reviewing all connections to make sure they are open only to those with legitimate business.

The agency is the human resources department for the federal government. Its information technology system holds data on current and former employees and U.S. government contractors, and it conducts background checks for security clearances.


Nearly 300,000 civilian federal employees live in Maryland, making up about 10 percent of the state's workforce. Twenty federal agencies are based in the state, including the Social Security Administration in Woodlawn, the National Security Administration in Fort Meade and the National Institutes of Health in Bethesda.

As the Federal Bureau of Investigation and the Department of Homeland Security work to determine the impact of the breach, the personnel office has been notifying millions of people that some of their personal information may have been stolen. Data from the Interior Department was also compromised.

"Protecting our federal employee data from malicious cyber incidents is of the highest priority at OPM," agency director Katherine Archuleta said in a written statement late Thursday.

"We take very seriously our responsibility to secure the information stored in our systems, and in coordination with our agency partners, our experienced team is constantly identifying opportunities to further protect the data with which we are entrusted."

Archuleta's office is offering credit report checks and monitoring, as well as identity theft insurance for federal workers.

The National Treasury Employees Union said in a statement that officials are "very concerned" about the breach and encouraged union members to sign up for credit monitoring.

"It is vital to know as soon as possible the extent to which, if any, personal information may have been obtained so that affected employees can be notified promptly and encouraged to take all possible steps to protect themselves from financial or other risks," the statement said.

The latest incident appears to be the second time that hackers have penetrated the networks of the personnel office. Law enforcement officials uncovered signs of an attack last spring that hit not only that agency but also the Government Printing Office and Government Accountability Office.


Responding to a rash of cyber problems earlier this year, which included the North Korean cyberattack on Sony Pictures, President Barack Obama in April ordered sanctions on hackers who destroy or pilfer data from computer networks used by the U.S. government and American businesses.

The penalties, which include economic and travel sanctions, were meant to deter costly attacks launched from abroad against U.S. targets.

The American Federation of Government Employees said it is working with administration officials to determine the extent of the latest cyberattack.

"AFGE will demand accountability and will take every necessary step to see the interests and security of the nearly 700,000 people we represent are addressed," union President J. David Cox Sr. said in a statement.

A spokesman for the National Federation of Federal Employees said the union was "obviously really disappointed" by the hack. But Drew Halunen, the organization's legislative director and spokesman, praised the Office of Personnel Management for being forthcoming and notifying employees.

"We look forward to getting more information," he said.


One expert said it's possible that hackers could use information from government personnel files for financial gain. In a recent case disclosed by the Internal Revenue Service, hackers appear to have obtained tax return information by posing as taxpayers, using personal information gleaned from previous commercial breaches, said Rick Holland, an information security analyst at Forrester Research.

"Given what OPM does around security clearances, and the level of detail they acquire when doing these investigations, both on the subjects of the investigations and their contacts and references, it would be a vast amount of information," Holland added.

The Department of Homeland Security said its intrusion detection system, known as EINSTEIN, which screens federal Internet traffic to identify potential cyber threats, identified the hack of OPM's systems and the Interior Department's data center, which is shared by other federal agencies.

It was unclear why the EINSTEIN system didn't detect the breach until after so many records had been copied and removed.

"DHS is continuing to monitor federal networks for any suspicious activity and is working aggressively with the affected agencies to conduct investigative analysis to assess the extent of this alleged intrusion," the agency said in a statement.

In November, a former Homeland Security contractor disclosed another cyber breach that compromised the private files of more than 25,000 department workers and thousands of other federal employees.


Rep. Adam Schiff, ranking Democrat on the House Intelligence Committee, called the hack "shocking, because Americans may expect that federal computer networks are maintained with state of the art defenses."

Senate Intelligence Committee Chairman Richard Burr, R-N.C., said the government must overhaul its cybersecurity defenses. "Our response to these attacks can no longer simply be notifying people after their personal information has been stolen," he said. "We must start to prevent these breaches in the first place."

The Associated Press contributed to this article.