Four million current and former federal employees, from nearly every government agency, might have had their personal information stolen by Chinese hackers, U.S. investigators said.
U.S. officials believe it could be the biggest breach ever of the government’s computer networks. China called the allegation irresponsible.
The Office of Personnel Management, which is conducting background checks, warned it was urging potential victims to monitor their financial statements and get new credit reports.
Federal employees lash out
Some federal employees said they were angry.
“I think it’s disgusting,” said Craig Oliver, who recently left an IT job with the Centers for Disease Control and Prevention in Atlanta for private-sector employment.
“Breaches happen, but this one is particularly massive,” he told CNN.
Other users took to Facebook to express their displeasure.
“Unreal, I don’t have enough money as it is,” Facebook user Shari Saeler posted on the Office of Personnel Management’s page. “Now I have to worry about someone stealing it!”
Retiree Linda Eleanor Rigby Robbins posted she didn’t know if she was affected.
“I do not understand why I heard this on the news instead of via letter or email from OPM,” she wrote.
George Thomas, who works at the Smithsonian Institute, said he felt his employer had done its job in trying to keep his personal information safe. But Thomas also said that in the fast-changing world of technology, it can be difficult for employers to stay ahead of hackers and information breaches.
“It’s an uphill battle,” Thomas said.
The breach was initially thought to have affected the Office of Personnel Management and the Department of Interior, but government officials said hackers hit nearly every federal government agency.
An assessment continues, and it is possible millions more government employees may be affected.
U.S. investigators: We believe this was China’s work
U.S. investigators believe they can trace the breach to the Chinese government. Hackers working for the Chinese military are believed to be compiling a massive database of Americans, intelligence officials told CNN on Thursday night.
It is not clear what the purpose of the database is.
The Washington Post and The Wall Street Journal first reported Thursday that Chinese hackers were responsible for the breach.
The Chinese Foreign Ministry neither confirmed nor denied its involvement in the hack, simply pointing out it too has been a victim of cyberattacks in the past.
“China itself is also a victim of cyberattacks,” Chinese Foreign Ministry spokesman Hong Lei said Friday in Beijing. “China resolutely tackles cyberattack activities in all forms.”
He added that China would like to have more global cooperation “to build a peaceful and safe, open and collaborative cyberspace.”
And he also called on the United States not to make groundless accusations about China’s involvement “but instead add more trust and cooperating in this field.”
A spokesman from the Chinese Embassy in Washington late Thursday objected to allegations that the Chinese government may be behind the massive hack.
“Cyberattacks conducted across countries are hard to track, and therefore the source of attacks is difficult to identify. Jumping to conclusions and making (a) hypothetical accusation is not responsible and counterproductive,” Zhu Haiquan said.
EINSTEIN detection system
Employees of the legislative and judicial branches and uniformed military personnel were not affected.
There are 2.7 million federal executive branch employees. It’s unclear whether the breach affected all of them, along with former employees, or only a portion of them.
The federal personnel office learned of the data breach after it began to toughen its cybersecurity defense system. When it discovered malicious activity, authorities used a detection system called EINSTEIN to unearth the information breach in April, the Department of Homeland Security said.
A month later, the federal agency learned sensitive data had been compromised.
The FBI is investigating what led to the breach.
“We take all potential threats to public and private sector systems seriously and will continue to investigate and hold accountable those who pose a threat in cyberspace,” the FBI said in a statement.
The federal personnel office said “personally identifiable information” had been breached, though the office didn’t name who might be responsible.
Senator: The breach is ‘disturbing’
Senate Homeland Security and Governmental Affairs Chairman Ron Johnson, R-Wisconsin, called the breach “disturbing” and said the Office of Personnel Management needs to do a better job securing its information.
“It is disturbing to learn that hackers could have sensitive personal information on a huge number of current and former federal employees — and, if media reports are correct, that information could be in the hands of China,” Johnson said in a statement. “(The office) says it ‘has undertaken an aggressive effort to update its cybersecurity posture.’ Plainly, it must do a better job, especially given the sensitive nature of the information it holds.”
U.S. Rep. Adam Schiff of California, the top Democrat on the House Intelligence Committee, said hackers are one of the “greatest challenges we face on a daily bases.”
“It’s clear that a substantial improvement in our cyber databases and defenses is perilously overdue,” Schiff said in a statement. “That’s why the House moved forward on cybersecurity legislation earlier this year, and it’s my hope that this latest incident will spur the Senate to action.”
And former Arkansas governor and 2016 Republican presidential hopeful Mike Huckabee blasted the Obama administration in a statement over what he felt were inadequate precautions taken to protect the personal data of millions of federal workers.
“What will it take for the White House to do its job? What will it take for the Obama administration to wake up and defend America?” he asked. “The lack of common sense in this White House is beyond breathtaking.”
At a press briefing earlier Friday, White House Press Secretary Josh Earnest, citing the ongoing investigation, declined to discuss specific details about the attack. But he blamed Congress for not doing enough to pass laws that would enhance cybersecurity.
“We need the United States Congress to come out of the Dark Ages and actually join us here in the 21st century to make sure that we have the kinds of defenses that are necessary to protect a modern computer system,” he said.