‘Outrageous failure’: Database hack compromised all US federal workers – union

Reuters/Jim Urquhart
Hackers who attacked a US government database could now be in possession of vast amounts of personal data on every federal employee, as the extent of the damage had been heavily underestimated, according to a union chief in a letter seen by AP.

“We believe that the Central Personnel Data File was the targeted database, and that the hackers are now in possession of all personnel data for every federal employee, every federal retiree, and up to one million former federal employees,” the President of the Union of American Federal of Government Employees (AFGE), J. David Cox, said in a letter to the Office of Personnel Management (OPM) director Katherine Archuleta, seen by AP.

Last week, the OPM admitted a major cyber-attack took place in December 2014, but it was only detected in April. The hack compromised the personal information of some four million federal employees, the agency originallysaid.

READ MORE: US govt agency hacked, 4 million federal workers affected

While US officials quickly blamed China for the attack, Beijing dismissed the claims saying that jumping to any conclusions and making hypothetical accusations was irresponsible and counterproductive.

However, based on the OPM's internal briefings, Cox believes that the intruders might be actually in possession of all military records and veterans' information, including address, employment history, and all their benefits history.

The hacked database also contains hundreds of other pieces of information on every federal employee, including age, gender, race data and birth dates.

Cox clearly says that their reassessment of the OPM documents made them “believe” that Social Security numbers stored in the database were not encrypted, which is a “cybersecurity failure that is absolutely indefensible and outrageous.”

The OPM initially understated the breach that was detected in April and said that the stolen data “could include” some personal information.

READ MORE: Personal data of 45,000 US federal workers at risk after KeyPoint breach

The union called the breach “an abysmal failure on the part of the agency to guard data that has been entrusted to it by the federal workforce,” Cox is cited saying in the letter. He added that almost no “substantive information” was shared with the union, despite it representing the rights of close to 700,000 US federal employees.

The OPM said the union’s claims are overestimated and that the number of those believed affected in the data theft is the same as the office reported last week. Around 4.2 million people may have had their information compromised, the OPM spokesman Sam Schumach told NBC News. That number includes 2.1 million employees, around one million retirees, and 1.1 million “separated workers.”

Meanwhile the Senate’s Democratic leader, Harry Reid, again told the floor that the OPM’s hack was apparently conducted by “the Chinese,” after being briefed on the “most secret intelligence information,” according to AP.

Since the attack, discovered during the implementation of new security protocols, the OPM said it has introduced further measures, such as restricting access and powers of remote administrators, and utilizing anti-malware software for more protection. A review of all connections to the network was also initiated.

The OPM is continuing their assessment of the damage in partnership with the federal intelligence agencies to determine the scope of the intrusion. In their latest press release, the agency stated there was no evidence thus far that there has been “any use or attempted use” of personal data derived from the hack.