Hackers have stolen the personal data and social security numbers of every US federal employee because the data was not encrypted, a union representing government workers has claimed.
The claim is made in a letter discussing the massive data breach at the Office of Personnel Management (OPM) which saw cyber criminals make off with an estimated four million government employee records.
The OPM is the human resources department for the federal government, and carries out checks for security clearances. Officials were warned that the breach may have had an impact on every federal agency and have described the breach as among the largest-known thefts of government data in history.
Now, J David Cox, president of the American Federation of Government Employees, has claimed in a letter to OPM director Katherine Archuleta that far more records have been stolen than the government had previously acknowledged.
According to the document, hackers stole military records and the status information, address, birth date, job and pay history, health insurance, life insurance, and pension information of veterans; along with age, gender and race data of government employees.
“We believe that Social Security numbers were not encrypted; a cyber security failure that is absolutely indefensible and outrageous,” the letter said.
“Based on the sketchy information OPM has provided, we believe that the Central Personnel Data File was the targeted database, and that the hackers are now in possession of all personnel data for every federal employee, every federal retiree, and up to one million former federal employees,” it added.
The OPM agency, however, has downplayed the impact of the cyber-attack, arguing that only limited personal information was stolen.
While the US government does not have a firm idea of who carried out the cyber-attack against OPM, Susan Collins, a member of the Senate Intelligence Committee, suggested that it was thought to have derived from China. Democratic senator Harry Reid also said on the senate floor that the December attack was carried out by “the Chinese.” However, the Chinese embassy has told the US the accusations were “not responsible and counterproductive”.
Speaking at the recent Infosecurity Europe conference in London, security technologist Bruce Schneier described how it is now almost impossible to tell who is conducting cyber-attacks against an organisation.
The perpetrators, he said, could be anyone because “the same tactics and targeting and weaponry are used by everybody”.
“We’re actually living in a world where you can be attacked and not know if it is a nuclear-powered government with a $20bn (£13bn) military budget or a couple of guys in a basement somewhere. That’s a legitimate thing to be unsure about. That’s freaky,” said Schneier.
The US Internal Revenue Services has also recently been the victim of a data breach, although rather than accusing China, the organisation suggested that Russia was behind the cyber-attack.