Hackers have gained access to confidential personnel records of more than 4 million current and retired federal employees, the U.S. Office of Personnel Management (OPM) said late Thursday. It's the second major breach of federal personnel records in a year.
"The FBI is working with our interagency partners to investigate this matter," the FBI said in a statement Thursday night. "We take all potential threats to public and private sector systems seriously and will continue to investigate and hold accountable those who pose a threat in cyberspace."
OPM, the federal government's equivalent of a private company's Human Resources department, said it couldn't say exactly what data the hackers took but said it could be used in "spear-phishing" attacks -- emails designed to make targets think they are dealing with a legitimate request.
For example, a hacker might have enough information to trick a federal employee into thinking an email came from a colleague or an OPM official.
News of the breach was not well received on Capitol Hill.
“Today's reported breach is part of a troubling pattern by this agency in failing to secure the personal data of federal employees – the second major breach in a year," said Sen. Mark Warner (D-Va.), a member of the Senate Select Committee on Intelligence. "Cyberattacks present a critical threat to our national security and our economy. We cannot afford to keep dragging our feet in addressing the escalating threats posed by hackers out to steal individuals’ personal information.”
It's one of the largest hacks of government information ever and unofficial reports said the attack bore the markings of the Chinese government.
OPM said it detected the breach in April -- while it was trying to clean up after a March 2014 hack attack -- and the Department of Homeland Security (DHS) said it had concluded "at the beginning of May" that sensitive data had been stolen. Why it took more than a month to inform taxpayers and federal employees of the breach wasn't explained.
In a typically oblique statement, OPM said -- in effect -- that it had stumbled onto the attack while attempting to shore up its defenses:
Within the last year, OPM has undertaken an aggressive effort to update its cybersecurity posture, adding numerous tools and capabilities to its networks. As a result, in April 2015, OPM became aware of the incident affecting its information technology (IT) systems and data that predated the adoption of these security controls.
"OPM immediately implemented additional security measures to protect the sensitive information it manages," the statement concluded.
Sen. Warner said he is currently preparing to introduce data breach legislation that would create a "comprehensive, nationwide and uniform data breach standard requiring timely consumer notification for breaches of financial data and other sensitive information," presumably one that would require businesses and government agencies to notify employees as soon as intrusions are detected.
Warner chaired the first hearing in Congress in the aftermath of a breach of the retailer Target. On the heels of that hearing, Sens. Warner and Mark Kirk (R-Ill.) called for the private sector to cooperate in creating Information Sharing and Analysis Centers (ISACs) to share information on data breaches, something the retail and financial services industries now have pursued on a voluntary basis.
Additionally, Sens. Warner and Kirk introduced legislation in the last Congress to strengthen consumer protections for debit cardholders by capping liability for fraud at $50, the same amount as for credit cards. Sen. Warner currently is working on legislation to require enhanced private sector data security measures and consumer breach notification.
What to do
Here's the advice OPM offered to federal employees whose records may have been lost due to its inability to safeguard them:
- Monitor financial account statements and immediately report any suspicious or unusual activity to financial institutions.
- Request a free credit report at www.AnnualCreditReport.com.
- Review resources provided on the FTC identity theft website, www.identitytheft.gov.
- You may place a fraud alert on your credit file to let creditors know to contact you before opening a new account in your name. Call TransUnion at 1-800-680-7289 to place this alert. TransUnion will then notify the other two credit bureaus on your behalf.