The breach at the U.S. Office of Personnel Management (OPM) that was disclosed earlier this month impacted approximately 18 million current, former and prospective federal employees -- more than four times the 4.2 million originally announced, CNN reports.
FBI Director James Comey recently provided the new estimate to U.S. Senators in a closed-door briefing.
The Chinese hackers behind the OPM hack are also believed to have breached the OPM contractor KeyPoint Government Solutions in 2014.
Investigators looking into the OPM breach found that KeyPoint security credentials were used to access the OPM systems -- though the OPM breach is believed to have pre-dated the KeyPoint breach.https://o1.qnsr.com/log/p.gif?;n=203;c=204660766;s=9477;x=7936;f=201812281312070;u=j;z=TIMESTAMP;a=20392931;e=i
Among the OPM data accessed was information from SF86 forms used for security clearances, which contain not just goverment employees' personal data, but also the personal data of family members and associates. If SF86 data was stolen, a source told ABC News, an "exponential amount of people" could be affected.
HyTrust president and co-founder Eric Chiu told eSecurity Planet by email that this news is just another example of how hard it is to determine the actual impact of a data breach. "Companies are taking weeks, sometimes months and years, to detect breaches," he said. "And organizations often don’t have good processes regarding data management and what protections, such as encryption, were in place."
"This is a scary situation and should be a wake-up call to organizations, who should now be focusing on taking an inside-out approach to security and assuming the attacker is already on the network as well as encrypting sensitive data so it’s useless if ever accessed or stolen," Chiu added.
And Malwarebytes CEO Marcin Kleczynski said by email that the breach is likely to prompt a sea change in organizations' approaches to protecting data. "In the coming months, the organizations will likely make a massive push at introducing new types of encryption systems, secure backup and intrusion detection systems if they haven’t already," he said.
"We live in a time where most common home users are getting better at protecting their personal data than large companies and government organizations, who assume that they’re secure until an attack occurs," Kleczynski added. "The threat landscape is not what it was 10 years ago."
"The last few years have taught users and experts alike that the only way to combat the dynamic nature of cyber threats are to constantly update, upgrade and modify security measures to match the threat," Kleczynski said. "Hopefully the government, after this massive breach, will step up to the plate and finally devote the resources and attention required to protecting the information they obtain from their citizens and employees."