The U.S. Office of Personnel Management (OPM) has announced that it "recently became aware of a cybersecurity incident affecting its systems and data that may have compromised the personal information of current and former Federal employees."
Approximately 4 million individuals' personally identifiable information (PII) was potentially compromised -- and since the investigation is ongoing, OPM says additional PII exposures may also come to light in the future.
The New York Times reports that the breach, which went on for at least several months, appears to have originated in China. It's not clear at this point whether or not it was state-sponsored.
J. David Cox, Sr., president of the American Federation of Government Employees (AFGE), said in a statement that the breach may have exposed "the personal information of all 2.1 million current federal employees and an additional 2 million federal retirees and former federal employees."
"AFGE will demand accountability and will take every necessary step to see that the interests and security of the nearly 700,000 people we represent are addressed," he added.
OPM discovered the incident in April 2015 while adding new security controls to improve the security of its networks.
"Since the intrusion, OPM has instituted additional network security precautions, including: restricting remote access for network administrators and restricting network administration functions remotely; a review of all connections to ensure that only legitimate business connections have access to the internet; and deploying anti-malware software across the environment to protect and prevent the deployment or execution of tools that could compromise the network," OPM said in a statement.
All those affected are being offered 18 months of free access to credit monitoring services and identity theft insurance from CSID.
HyTrust president and co-founder Eric Chiu noted by email that those potentially affected by the breach include federal employees with top secret security clearances. "This will call into question every government employee, since this information can be used by nation states and terrorists to identify and target those employees in order to gain access to sensitive environments and data," he said.
"In addition, as we saw from the recent IRS attack, this data can also be leveraged to steal other confidential information to gain a full financial and personal profile on these employees, putting them at even greater risk," Chiu added.
Tripwire manager of security research Tyler Reguly said by email that the combination of healthcare and government information could give a nation state everything it needs to pinpoint government officials that meet specific requirements.
"From there, they could look at health records for the target and their loved ones," Reguly said. "It’s not hard to imagine a scenario where a nation state offers to pay for specialized medical treatment or provide an organ donor that would save a life in exchange for state secrets. From a nation-state point of view, this approach could yield valuable data that would be nearly impossible to obtain in other ways."
"While blackmail and offers of money may not work on moral individuals, it's pretty hard to place a value on the life of a loved one," Reguly added. "In fact, this treasure trove of PII has the potential to become the ultimate form of manipulation and greatly increases the risk of insider threat."
Photo courtesy of Shutterstock.