Hackers based in China breached U.S. Office of Personnel Management computers, according to American officials, stealing records of as many as 4 million current and former federal employees in one of the largest breaches of government personnel data.
The hackers, believed to have links to the Chinese government, got into the computer system late last year, according to one U.S. official, who asked for anonymity to discuss the investigation. The intrusion was detected in April and it took U.S. investigators a month to conclude that the files had been compromised.
The attack is believed to be part of a larger effort by Chinese hackers to get health-care records and other personal information on millions of government employees and contractors from various sources, including insurers, government agencies and federal contractors, said a U.S. intelligence official, also speaking on condition of anonymity.
The data could be used to target individuals with access to sensitive information who have financial, marital or other problems and might be subject to bribery, blackmail, entrapment and other traditional espionage tools, the official said.
Another person familiar with the breach said the hackers accessed information about individuals who applied for or were granted security clearances. Such data often includes detailed interviews with friends and family members as well as information that could disqualify a candidate from receiving a clearance.
The target of the attack was a data center in Denver. The OPM systems were part of a center operated by the Interior Department for federal agencies, the Department of Homeland Security said in a statement.
The OPM provides information on job candidates for agencies across the federal government, including whether those individuals are suitable for government employment, according to the OPM website.
The Federal Bureau of Investigation and the Department of Homeland Security are investigating the hack, according to a statement from OPM.
A spokesman for the Chinese Embassy in Washington, Zhu Haiquan, said his country’s laws prohibit cybercrimes and China works to combat violations.
“Cyber-attacks conducted across countries are hard to track and therefore the source of attacks is difficult to identify,” he said in an e-mailed statement. “Jumping to conclusions and making hypothetical accusation is not responsible and counterproductive.”
The federal government plans to notify those who were potentially affected by the breach, and is offering free credit report access, credit monitoring and identity-theft insurance to those whose personal information was compromised.
The OPM said investigators may find that additional personnel files were compromised as they review the breach.
“We take very seriously our responsibility to secure the information stored in our systems,” OPM Director Katherine Archuleta said in the statement.
Donna Seymour, OPM’s chief information officer, said the information stolen was typical for a personnel file, including Social Security number, date and place of birth and benefit selections. Bank accounts and health information weren’t included and there’s no indication any specific category of workers were targeted, she said.
The American Federation of Government Employees, the biggest union representing federal employees, said that the 4 million affected were roughly split between current federal employees and retirees and former workers. According to the OPM website, there are about 2.6 million civilian workers in executive branch departments.
Representative Adam Schiff, the ranking Democrat on the House Intelligence Committee, called the intrusion “shocking.”
The breach underscored that “a substantial improvement in our cyber databases and defenses is perilously overdue,” Schiff said.
Both public and private computer networks have been targeted by hackers. In February, the health insurer Anthem Inc. said hackers accessed data on about 80 million people. In March, Premera Blue Cross, which operates in the northwestern U.S., said information on 11 million people may have been exposed.
U.S. Defense Secretary Ashton Carter said in April that Russian hackers had breached an unclassified Pentagon computer network. A “crack team of incident responders” began hunting the Russians within hours, he said in a speech at Stanford University that warned of the danger of cyberattacks to the U.S. government.
Criminal hackers are believed to have broken into an unclassified White House computer network last year at the behest of the Russian government. Some U.S. officials said the same hackers earlier breached State Department computers.
The White House hack may have been in retaliation for sanctions the U.S. imposed on Russia after its annexation of Crimea in March 2014, a person familiar with the incident said.
Hackers from more than 100 foreign intelligence agencies probe Pentagon computer networks millions of times every day, Eric Rosenbach, Carter’s top adviser on cybersecurity, told the Senate Armed Services Committee in April.
John Brennan, the director of the Central Intelligence Agency, said in March that cyberthreats were “an urgent national security priority” and announced the formation of a new “digital innovation” unit in the spy agency.
The Russian and Chinese governments have regularly dismissed allegations that they employ hackers to target U.S. computer systems.