The Office of Personnel Management database penetrated by Chinese hackers didn’t use encryption or other technology to protect the Social Security numbers of federal workers, despite such measures being industry best practice.

The massive data breach there affected the records of 4.1 million current and former federal employees and may be linked to a Chinese state-backed hacker group known as “Deep Panda,” which recently made similarly large-scale attacks on the health insurers Anthem and Premera.


Encryption and data obfuscating techniques “are new capabilities that we’re building into our databases,” Donna Seymour, the OPM chief information officer, told POLITICO.

The revelation comes as security experts debate the motive behind the hack, which vacuumed up personal data normally prized by run-of-the-mill cyber criminals but may turn out to be linked to Chinese intelligence.

Meanwhile, the White House announced it was accelerating the deployment of the computer network security tool known as Einstein 3 Accelerated.

All federal civilian agencies should have a functioning deployment of the Department of Homeland Security’s third-generation Einstein system by next year, rather than 2018 as previously planned, White House press secretary Josh Earnest told reporters Friday. He said DHS made that decision “in recent months.”

OPM is covered by Einstein 2, but not Einstein 3 Accelerated.

But Einstein 3A wouldn’t necessarily have prevented hackers from getting in, Seymour said. Einstein blocks known malicious traffic from getting into federal networks, but at the time of the hack, there was no indicator associated with the attackers to upload into Einstein, she explained. “These indicators, once discovered, were loaded into Einstein to provide protections to other federal networks,” she added.

Economic sanctions and a limited responsive cyberattack should be on the table if the U.S. determines that some portion of the Chinese government was directly involved, former Sen. Joe Lieberman (I-Conn.) said Friday.

“This was not a cyberattack on our infrastructure in a way that would have greatly disrupted our economy or compromised public safety,” said Lieberman, a former chairman of the Senate Homeland Security Committee. “For various purposes I wouldn’t want to escalate to Cyber Defcon 2 or 1 because it wasn’t an attack on that level. But it cannot go unresponded to if we determine with a reasonable degree of certainty where it came from.”

Federal authorities haven’t publicly said who they believe is behind the attack. But John Hultquist, a senior manager at iSIGHT Partners, said his firm was attributing the hack to Deep Panda, a group that’s also known by names like the “Shell_Crew,” “PinkPanther” and “Group 72.” Hultquist said some patterns of the attack match those of the Anthem and Premera breaches, which were revealed in February and March, respectively.

Evidence linking Deep Panda with the Anthem and Premera hacks stems from patterns found within the Internet’s address book, known as the domain registration system, Hultquist said. Deep Panda has a tendency of registering look-alike Web domains similar to their targets, such as we11point.com for “Wellpoint,” Anthem’s previous corporate name. iSIGHT found a pattern of related names being used to register the fake domains — and a search of domain registration data turned up examples of lookalike OPM websites, he said.

CrowdStrike, the firm that bestowed the Deep Panda moniker, calls the group “one of the most advanced Chinese nation-state cyber intrusion groups.”

Why state-sponsored hackers would want personnel file data remains unknown.

Personal data are normally valuable for identity thieves who want to open up fraudulent financial services accounts, or sell the information on the black market for others to use. But so far, none of the data from the Anthem and Premera breaches have showed up for sale or been used for credit card fraud, Hultquist said.

The Chinese news service Xinhua dismissed the U.S. allegations as “obviously another case of Washington’s habitual slander against Beijing on cybersecurity.” It also pointed to the information disclosed by former NSA subcontractor Edward Snowden, saying the U.S. itself is guilty of “large-scale, organized cyber theft, wiretapping and supervision of political figures, enterprises and individuals of other countries, including China.”

The latest hack’s implications are unsettling. This marks the third or fourth known hack of federal personnel data in approximately a year, including an attack in August that officials attributed to the Chinese government. That’s on top of the Anthem and Premera attacks, along with a recent breach of CareFirst BlueCross BlueShield — which, combined, mean that hackers have gotten into the health records of as many as 1 in 3 Americans.

The Office of Personnel Management said Thursday that it had detected the latest intrusion into its systems in April. The Department of Homeland Security said its US-CERT team concluded in May that OPM data had been compromised.

Paradoxically, detection of the cyberattack is proof that OPM cybersecurity is getting better, Seymour said. Hackers made their way into the system in December and went undetected until April. It was a security upgrade that permitted agency personnel to find the breach and take defensive measures.

Members of Congress said the government clearly has not been doing enough.

“Today’s reported breach is part of a troubling pattern by this agency in failing to secure the personal data of federal employees — the second major breach in a year,” said Sen. Mark Warner (D-Va.), a member of the Senate Select Committee on Intelligence, in a statement Thursday night. “Cyberattacks present a critical threat to our national security and our economy. We cannot afford to keep dragging our feet in addressing the escalating threats posed by hackers out to steal individuals’ personal information.”

Senate Intelligence Chairman Richard Burr (R-N.C.), committee member Angus King (I-Maine), Senate Homeland Security Chairman Ron Johnson (R-Wis.), House Intelligence Committee ranking member Adam Schiff (D-Calif.) and Rep. Gerry Connolly (D-Va.) issued similar statements. “We must start to prevent these breaches in the first place,” Burr said.

Experts on cybersecurity continued to debate whether the evidence points to hackers connected to the Chinese government, as opposed to underworld criminals.

Peter Cassidy, secretary general of the Anti-Phishing Working Group, questioned trying to assign blame based on the Internet’s domain registration information, calling it “very inconclusive.” The database is notoriously flawed — and attribution is also difficult to do based purely on technical data. “On the Internet, there’s nothing more ambiguous than geography,” he said.

On the other hand, Cassidy said, the information stolen from OPM’s computers would undoubtedly be useful to crooks. “When you have that much personal data, you’ve another opportunity to do something else, like apply for a credit card,” he said.

One federal official said he didn’t know whether the hackers were state-sponsored or not.

“China is not a monolith,” the official said. “There are many different things that can be Chinese. You may be seeing something where we’re not going to be pointing the finger [in public], because we don’t have an indictment to lay down.”

“It could be that some underworld actors are being contracted by government actor,” the official added.

Rob Knake, a former cybersecurity official in the Obama White House, said on Thursday that he thought the breach was “more likely to have been a criminal act,” aimed at enabling crimes like online payments fraud, as opposed to launching attacks against U.S. national security. “It’s of very limited value within the intelligence community,” said Knake, who served on the National Security Council staff until earlier this year. “It doesn’t make sense to me that a state intelligence agency would want to deploy resources to get the Social Security number of clerks at the Commerce Department.”

But other cyber experts said the data could be useful to Chinese intelligence in understanding relationships between federal workers and in allowing them to craft more effective phishing emails.

“This is information that will help them break into other systems,” for instance by identifying who the system administrators are for any given department, said former federal Chief Information Security Officer Mark Graff. Administrators are the favorite target for hackers looking to steal passwords because they have broad access to every part of the network.

”I think this is a stepping stone to further intrusions,” agreed Hultquist.

The hacked database is the Central Personnel Data System File, a repository for personal information for the entire federal workforce of 2 million and for just more than 2 million federal retirees and other former employees, officials from the American Federation of Government Employees said.

“We’ve been told that they got the whole personnel data central file,” said Jacqueline Simon, the AFGE’s public policy director.

The data includes names, addresses, pay grades, records of personnel actions such as reprimands, and pension, insurance and health plan details. Social Security numbers in the database should have been masked or encrypted if the agency was using best information security practices, union spokesman Tim Kauffman said.

OPM says it will offer free credit monitoring, identity theft insurance and recovery services to affected employees. The FBI said it will “hold accountable those who pose a threat in cyberspace.”

The OPM database is hosted by the Interior Department, which sells at cost through its Interior Business Center information technology services to other federal agencies.

This isn’t the first time hackers have targeted federal employees’ records.

An OPM contractor, government background-check firm USIS, was breached in an attack attributed to the Chinese government in August that compromised the personal information of more than 27,000 employees. A hack at another OPM contractor, KeyPoint Government Solutions, may have exposed the data of more than 48,000 employees in December. OPM itself was breached in March 2014 by hackers that appeared to target files of employees who applied for top-secret security clearances.

OPM has come under criticism for lax security practices, a perception that its agency Chief Information Office Donna Seymour sought to assuage during an April hearing of the House Oversight and Government Reform Committee.

“In an average month, OPM thwarts almost 2.5 billion confirmed attempts to hack its network,” Seymour told the committee. “These attacks will not stop. If anything, they will increase.”

Joseph Marks contributed to this report.