The U.S. Office of Personnel Management (OPM) disclosed that it was the victim of a data breach that may have compromised the personal information of approximately 4 million current and former federal employees.
Multiple media reports have alleged that unnamed government sources have cited China as the source of the hack, while Chinese officials have denied the allegations.
"Within the last year, OPM has undertaken an aggressive effort to update its cyber-security posture, adding numerous tools and capabilities to its networks," the OPM stated. "As a result, in April 2015, OPM became aware of the incident affecting its IT systems and data that predated the adoption of these security controls."
OPM also stated that after identifying the incident, it engaged with the U.S. Department of Homeland Security's U.S. Computer Emergency Readiness Team (US-CERT) and the Federal Bureau of Investigation (FBI) to assess the impact of the data breach. OPM also stated that it has since implemented new security controls to protect sensitive information.
Starting on June 8, the OPM will send formal notifications to the 4 million individuals affected by the data breach.
"To mitigate the risk of fraud and identity theft, OPM is offering affected individuals credit-monitoring services and identity-theft insurance with CSID, a company that specializes in identity-theft protection and fraud resolution," OPM stated. "This comprehensive, 18-month membership includes credit report access, credit monitoring, identity-theft insurance, and recovery services and is available immediately at no cost to affected individuals identified by OPM."
The OPM is not the first U.S government agency to disclose a data breach in recent months. Last fall reports surfaced about the breach of an unclassified White House network as well as attacks on the United States Post Office and the National Oceanic and Atmospheric Administration (NOAA).
Security researchers eWEEK contacted said breaches of government agencies are serious but not surprising.
"The U.S. government will always be in the cross hairs of cyber-espionage efforts, and given the reach OPM has across the U.S. government's clearance records, it isn't too surprising they found themselves a victim," Ryan Trost, co-founder and CIO at ThreatQuotient, told eWEEK. "Knowledge is power in the world of governments, and although servers house that knowledge, employee records provide a treasure chest of target-rich information to coordinate future attacks with."
Greg Kazmierczak, CTO of Wave Systems, commented that hackers see government agencies as high-value targets with proven vulnerabilities. "We should be very concerned by how our enemies will attempt to exploit this information," Kazmierczak told eWEEK.
Andy Hayter, security evangelist at G DATA Software, noted that while it's still early in the OPM investigation to connect the dots with other U.S. government breaches, it is likely that each one that occurs is arming cyber-criminals with exactly what they need and want to execute additional attacks. "Unfortunately, every time there's another breach on a federal agency, it spells out our vulnerabilities loud and clear to our adversaries, letting them know there are many more opportunities for them to hack our systems and networks over and over again," Hayter told eWEEK.