WASHINGTON – As many as 14 million current and former civilian U.S. government employees have had their personal information exposed to hackers, according to two people who were briefed on the investigation, a far higher figure than the 4 million the Obama administration initially disclosed.
American officials have said the cybertheft originated in China and that they suspect espionage by the Chinese government, which has denied any involvement.
The newer estimate puts the number of compromised records between 9 million and 14 million going back to the 1980s, said one congressional official and one former US official, who spoke to The Associated Press on condition of anonymity because information disclosed in the confidential briefings includes classified details of the investigation.
There are about 2.6 million executive branch civilians, so the majority of the records exposed relate to former employees. Contractor information also has been stolen, officials said.
If the attack was indeed espionage, the personnel records would provide a foreign government an extraordinary roadmap to blackmail, impersonate or otherwise exploit federal employees in an effort to gain access to U.S. secrets —or entry into government computer networks.
The data in question contain the records of most federal civilian employees, though not members of Congress and their staffs, members of the military or staff of the intelligence agencies.
The latest revelation came a day after a major union said it believes the hackers stole personnel data and Social Security numbers for all the federal workers in a central personnel database. The Social Security numbers were not encrypted, the American Federation of Government Employees said, calling that “an abysmal failure on the part of the agency to guard data that has been entrusted to it by the federal workforce.”
Samuel Schumach, an Office of Personnel Management spokesman, would not address how the data was protected or specifics of the information that might have been compromised, but said, “Today’s adversaries are sophisticated enough that encryption alone does not guarantee protection.” OPM is nonetheless increasing its use of encryption, he said.
The Office of Personnel Management is a repository for extremely sensitive information assembled through background investigations of employees and contractors who hold security clearances.
Outside experts were pointing to the breach as a blistering indictment of the U.S. government’s ability to secure its own data two years after a National Security Agency contractor, Edward Snowden, was able to steal tens of thousands of the agency’s most sensitive documents.
After the Snowden revelations about government surveillance, it became more difficult for the federal government to hire talented younger people into sensitive jobs, particularly at intelligence agencies, said Evan Lesser, managing director of ClearanceJobs.com, a website that matches security-clearance holders to available slots.
“Now, if you get a job with the government, your own personal information may not be secure,” he said. “This is going to multiply the government’s hiring problems many times.”
The Obama administration had acknowledged that up to 4.2 million current and former employees whose information resides in the Office of Personnel Management server are affected by the December cyberbreach, but it had been vague about exactly what was taken.
J. David Cox, president of the American Federation of Government Employees, said in a letter Thursday to OPM director Katherine Archuleta that based on incomplete information OPM provided to the union, “the hackers are now in possession of all personnel data for every federal employee, every federal retiree and up to 1 million former federal employees.”
Another federal union, the National Active and Retired Federal Employees Association, said Friday that “at this point, we believe AFGE’s assessment of the breach is overstated.” It called on the OPM to provide more information.
The AFGE union believes the hackers stole military records and veterans’ status information, address, birth date, job and pay history, health insurance, life insurance and pension information; and age, gender and race data, he said
The union’s release and Minority Leader Harry Reid’s comment in the Senate put into sharper focus what is looking like a massive cyberespionage success by China. Sen. Susan Collins, R-Maine, an Intelligence Committee member, has also said the hack came from China.
Rep. Mike Rogers, the former chairman of the House Intelligence Committee, said last week that Chinese intelligence agencies have for some time been seeking to assemble a database of information about Americans. Those personal details can be used for blackmail or to shape bogus emails designed to appear legitimate while injecting spyware on the networks of government agencies or businesses Chinese hackers are trying to penetrate.
U.S. intelligence officials say China, like the U.S., spies for national security advantage. Unlike the U.S., they say, China also engages in large-scale theft of corporate secrets for the benefit of state-sponsored enterprises that compete with Western companies. Nearly every major U.S. company has been hacked from China, they say.