Capitol building with digital code

Illustration by Thursday Review

More Than 22 Million Impacted by Cyber-Attack
| published July 9, 2015 |

By R. Alan Clanton,Thursday Review editor

The government now says that the hackers who gained access to data from federal websites in early June have stolen the Social Security numbers belonging to at least 22 million people. The hackers behind that massive cyber-attack are believed to be based in China. Beijing has denied involvement in the attack, and has gone further, accusing the United States of deliberately attempting to spark animosity toward China.

Last month, security officials and the White House said that the number of people affected may have been limited to 14 million. Now, however, the White House concedes that the number is much larger. It also says that the type of information stolen by the hackers is far more extensive and penetrative, including complete files on tens of millions of federal employees, along with some 19 million who have been subjected to some form of background check, and hundreds of thousands more who were had more extensive background investigations performed.

Though the numbers get complicated, and though there are some overlaps between those who have been subjected to background checks, the government also concedes that roughly two million more files belonging to military spouses and government employee family members were hacked.

In all cases, the data includes addresses, phone numbers, birth dates, and Social Security numbers, along with a variety of other personal information.

The FBI and other investigators say that the digital evidence points to China. Though some officials stop just short of blaming the attack on Beijing, others at the FBI and the Department of Homeland Security are more blunt, suggesting that the cyber-attack has all the thumbprints of a militarized, state-sanctioned Chinese attack. If true, it would be the third or fourth cyber-assault linked directly to mainland China within the last 18 months. In February it was revealed that Anthem Inc. had been the victim of a massive cyber-attack on its computers—a theft which exposed the personal information and billing data of roughly 80 million patients and employees.

The June cyber-attack on the Office of Personnel Management is the largest breach ever of a government-managed database.

Government employees and military personnel who are placed in highly sensitive roles are generally given thorough background checks. Those investigations and background checks are conducted by the Office of Personnel Management, and most of those files are collated and stored electronically in something called the Central Personnel Data File. The files can contain not merely personal data on the employees, but also extensive information and data on the families, friends, and previous employers of federal workers. Some background checks may also include banking information, credit reports, records of major purchases, travel patterns, and even psychological profiles.

A few weeks ago, in the aftermath of the data breach, the OMB and the White House said that government employees would be contacted quickly with a checklist of precautions, along with an offer of assistance for those whose data had been hacked. Among the services being discussed early in June: credit monitoring and identity theft protection for those impacted by the attack.

But not everyone who advocates for government employees thinks that the feds are being forthright in their disclosures to employees. The American Federation of Government Employees (AFGE) says that the government is sharing very little substantive information with its millions of employees.

“Based on the sketchy information OPM has provided,” explained J. David Cox, president of AFGE, in a letter to the OPM, “we believe that the Central Personnel Data File was the targeted database, and that the hackers are now in possession of all personnel data for every federal employee, every federal retiree, and up to one million former employees.” Cox worries that the extensive data found in those records may exceed what the White House and other agencies are admitting may have been compromised.

Cox believes that if the hackers gained access to the files, they may also now have in their possession rates of pay (past and current), insurance data, medical records, direct deposit information, criminal records, and even correspondence regarding disciplinary action, transfers and promotions. And those files on employees with background checks would expose deeply personal data, including the names of references, friends and past contacts.

Garden variety hackers seek primarily only as much information as would be needed to gain access to debit card accounts or credit card accounts. Security analysts worry that if in fact this attack was the work of a state-sponsored unit in China, the information stolen could be used for more than access to a VISA card or a bank account. Such detailed information could be used for the purposes of espionage or blackmail, or could be used for the outright identity theft of tens of thousands of people with extensive access to a variety of realms of government service.

In his letter to the OMB, Cox also derided the OMB’s failure to encrypt the most crucial elements of the data: Social Security numbers, address, dates of birth—the three most critical elements most often used by hackers and identity thieves.

AFGE has filed a class action lawsuit charging the OMB and other government agencies with failing to protect federal employee information.

Related Thursday Review articles:

China Hacks Federal Employee Records; Keith H. Roberts; Thursday Review; June 5, 2015.

Taxpayer Information Stolen From IRS Website; Keith Roberts; Thursday Review; May 27, 2015.