When the Office of Personnel Management (OPM) – the agency that manages the civil service of the federal government – suffered a data breach, it initially admitted that the incident had exposed the personal data of four million past and present federal employees.

A few days later, Bloomberg reported that the incident could be linked with a spate of large-scale HIPAA breaches affecting the health care information of nearly 30 million people.

Now, it emerges that the breach was apparently even worse. According to a government workers’ union, the breach actually affected the personal information of every federal employee.

All of them.

Indefensible and outrageous

The Associated Press has obtained a letter from American Federation of Government Employees President J. David Cox to OPM director Katherine Archuleta in which he said that he believed criminal hackers had accessed a database containing up to 780 separate pieces of information about each federal employee:

“We believe that the Central Personnel Data File was the targeted database, and that the hackers are now in possession of all personnel data for every federal employee, every federal retiree, and up to one million former federal employees.”

Worse even than this information is Cox’s suggestion that “Social Security numbers were not encrypted, a cybersecurity failure that is absolutely indefensible and outrageous”.

OPM spokesman Samual Shumach said that, “for security reasons, we will not discuss specifics of the information that might have been compromised.”

Security failure

If this weren’t bad enough, Wired magazine alleges that the attackers accessed SF 86 forms – the “documents used for conducting background checks for worker security clearances.” These forms contain “a wealth of sensitive data not only about workers seeking security clearance, but also about their friends, spouses and other family members. They can also include potentially sensitive information about the applicant’s interactions with foreign nationals – information that could be used against those nationals in their own country.”

Democratic leader Sen. Harry Reid blamed the hack on “the Chinese”.

For the latest information security news and updates, subscribe to our Daily Sentinel.