In the absence of adequate information provided by the Office of Personnel Management (OPM), a federal employee union concludes that the massive security breach affecting the data of millions of government workers is far worse than the Obama administration will admit.
In a letter addressed to Katherine Archuleta, director of the OPM, J. David Cox, national president of the American Federation of Government Employees (AFGE) says the union believes the hackers targeted the Personnel Data File, which contains 780 pieces of information about each employee, including Social Security numbers, military records, veterans' status information, home address, insurance information, pension information, job history and other sensitive information whose theft compromises each affected employee's security.
Furthermore, the union believes the Social Security numbers were not encrypted, which is "absolutely indefensible and outrageous." It also challenges OPM's earlier claim that the breach affected four million individuals, saying that all federal employees, all federal retirees and up to one million former federal employees had their personal information stolen by hackers.
The union based its conclusions on the "sketchy" information that OPM has provided. OPM says the ongoing investigation into the breach prevents it from sharing what happened with the affected employees, despite the fact that AFGE represents around 670,000 federal employees of the executive branch.
In an attempt at damage control, OPM also said what was taken "could include" sensitive private data, such as the SSNs and birthdates of employees. It also said it will not reveal the specifics on what data has been stolen "for security reasons."
"OPM has attempted to justify the withholding of information on the breach by claiming that the ongoing criminal investigation restricts your ability to inform us of exactly what happened, what vulnerabilities were exploited, who was responsible for the breach, and how damage to affected individuals will be compensated," Cox says [pdf].
The breach, which was announced last week, was discovered in April during a sales demonstration of security software by Virginia-based security firm CyTech Services to OPM, says four sources cited by The Wall Street Journal. The Journal reports that upon a diagnostic scan of OPM's network, the firm's CyFir cybersecurity tool discovered malware embedded in the network that appears to have been there for more than a year.
Although investigators have yet to point out who is responsible, Sen. Harry Reid and Sen. Susan Collins have pointed their fingers at "the Chinese" but did not specify if the hack was performed by the Chinese government or Chinese individuals.
Upon the announcement of the hack, OPM signed a $20 million contract with a cybersecurity firm to offer identity fraud protection for affected employees, but AFGE says the $1 million liability insurance and 18 months of credit monitoring offered by OPM is "entirely inadequate."
Photo: Ivan David Gomez Arce | Flickr