China suspected in massive U.S. government data breach

David Jackson and Kevin Johnson | USA TODAY

Show Caption Hide Caption Millions affected by U.S. government data breach U.S. officials believe China-based hackers compromised the financial data of at least 4 million former and current federal employees in a massive cyber security breach. Experts wonder why the government isn't doing more to protect employee data.

WASHINGTON — The federal government is notifying up to 4 million current and former employees that their personal financial data may have been breached by a hack attack from China, the Obama administration said Thursday.

Credit card data, banking records, and other forms of financial information could have been stolen in the attack, affecting people across the spectrum of the federal government, officials said.

Two U.S. officials, speaking on condition of anonymity because it is an ongoing investigation, said hackers working with China are the main suspects. The Washington Post first reported the possible China connection.

Earlier Thursday, The New York Times reported that the administration had secretly expanded the National Security Agency's warrantless surveillance of Americans' Internet traffic to combat hacking from overseas.

The FBI is investigating the latest hack, saying in a statement that "we take all potential threats to public and private sector systems seriously, and will continue to investigate and hold accountable those who pose a threat in cyberspace."

The Office of Personnel Management — which conducts background checks for security clearances, among other responsibilities — said it is notifying the affected employees, and "offering credit report access, credit monitoring and identify theft insurance and recovery services."

There have been some reports, as yet unconfirmed, that security clearance forms were taken in the breach. Collecting and processing such information is one of the functions of OPM.

If security clearances were part of the breach, it could be much more far-reaching. "It's not only the information in the security clearances, it's also the references," said Rick Holland, a cybersecurity expert at Forrester Research.

Contact information about multiple personal and professional references is typically gathered during the clearance process. "So perhaps the loss is more than just 4 million federal employees. It's kind of a seven degrees of Kevin Bacon," said Holland.

OPM said it is telling the affected individuals to "monitor financial account statements and immediately report any suspicious or unusual activity to financial institutions."

It added: "You may place a fraud alert on your credit file to let creditors know to contact you before opening a new account in your name."

NTEU, the union for federal employees, said it has been notified about the massive security breach. The union;s national president, Colleen Kelley, said it is vital to learn the extent of the attack as quickly as possible. That way, she said, affected employees "can be notified promptly and encouraged to take all possible steps to protect themselves from financial or other risks."

The personnel office said in a statement that it "detected a cyber-intrusion affecting its information technology (IT) systems and data" in April. It also said the attack occurred just before the adoption of "tougher security controls."

It's not known how many federal agencies might be affected, but it could be government-wide.

Rep. Adam Schiff, D-Calif., said this is only the latest in a series of data breaches, and this may be the worst one because it could affect 4 million or more people. "It's shocking because Americans may expect that federal computer networks are maintained with state-of-the-art defenses," Schiff said.

Sen. Richard Burr, chairman of the Senate Intelligence Committee, said the latest attack proves that cybersecurity must be a top priority. "Every day, these attacks are getting more technically advanced and now another agency has been compromised," he said.

The Office of Personnel Management said it will "send notifications to approximately 4 million individuals whose PII (personally identifiable information) may have been compromised. Since the investigation is on-going, additional PII exposures may come to light; in that case, OPM will conduct additional notifications as necessary."

In a separate statement, the Department of Homeland Security said it is "continuing to monitor federal networks for any suspicious activity and is working aggressively with the affected agencies to conduct investigative analysis to assess the extent of this alleged intrusion."

Contributing: Elizabeth Weise in San Francisco