China-based hackers stole sensitive personal information on as many as 4 million current and former federal employees from government computers, officials said Thursday, underscoring the growing threats to data stored even in what are supposed to be the most secure of systems.
The Office of Personnel Management, which is the government’s human resources agency, said it is notifying 4 million people that “personally identifiable information” may have been compromised in the breach.
The government said it will pay for 18 months’ worth of credit monitoring for those affected. OPM Director Katherine Archuleta said the department is rushing to improve cybersecurity and insisted that officials “take very seriously our responsibility to secure the information stored in our systems.”
The revelation comes on the heels of the IRS acknowledgment that hackers broke into one of its systems and stole the tax transcripts, including some of the most sensitive information possible, from about 104,000 taxpayers. In 13,000 cases, the hackers used the information to file false refund requests and stole as much as $39 million from the federal government.
The breach affected systems at the Interior Department and the OPM.
Homeland Security Department officials, who are tasked with defending against cyberattacks, said they are working with the FBI to get to the bottom of the apparent attack.
“As we constantly do, DHS is continuing to monitor federal networks for any suspicious activity and is working aggressively with the affected agencies to conduct investigative analysis to assess the extent of this alleged intrusion,” said Homeland Security spokesman Sy Lee.
The FBI said it “will continue to investigate and hold accountable those who pose a threat in cyberspace.”
The hackers were believed to be based in China, said Sen. Susan M. Collins, Maine Republican.
Ms. Collins, a member of the Senate Select Committee on Intelligence, said the breach was “yet another indication of a foreign power probing successfully and focusing on what appears to be data that would identify people with security clearances.”
A U.S. official who declined to be identified told The Associated Press that the data breach could affect every federal agency. One key question is whether intelligence agency employee information was stolen. Former government employees were affected as well.
“This is an attack against the nation,” said Ken Ammon, chief strategy officer of Xceedium.
He said the attack fit the patterns of those carried out by nation states for the purpose of espionage.
The information stolen could be used to impersonate or blackmail federal employees with access to sensitive information, he said.
It was unclear when the breach happened, though it was discovered only after OPM began more thorough monitoring of its own network. The agency detected a problem in late April and confirmed the breach in early May.
“The cyberthreat from hackers, criminals, terrorists and state actors is one of the greatest challenges we face on a daily basis, and it’s clear that a substantial improvement in our cyber databases and defenses is perilously overdue,” said Rep. Adam B. Schiff, the ranking Democrat on the House Permanent Select Committee on Intelligence.
Mr. Schiff said the breach was particularly troubling because it affected computer systems that most Americans expect to be defended by state-of-the-art measures.
The OPM said the investigation into the extent of the problem isn’t complete and the number of people affected could increase.
In the IRS breach, hackers took personal information — probably bought online in massive databases — and used it to impersonate taxpayers, answering questions that only the taxpayers were supposed to know, such as their car payments. Once authenticated as taxpayers, the hackers accessed entire transcripts and used some of them to request bogus refunds.
IRS officials said the hackers tried to get into about 200,000 accounts but succeeded in penetrating only 104,000. IRS officials said the hack began in February and lasted until May, when the agency discovered the suspicious activity.
In the hack announced Thursday, the government didn’t realize it had a problem until it upgraded its network monitoring tools.
Mr. Ammon said federal agencies are rushing to install two-factor authentication with smartcards, a system designed to make it harder for intruders to access networks. But implementing that technology takes time.
Senate intelligence committee Chairman Richard Burr, North Carolina Republican, said the government must overhaul its cybersecurity defenses. “Our response to these attacks can no longer simply be notifying people after their personal information has been stolen,” he said. “We must start to prevent these breaches in the first place.”
⦁ This article is based in part on wire service reports.