OPM hackers stole info on every US federal employee including social security numbers, says union
'We believe that Social Security numbers were not encrypted, a cybersecurity failure that is absolutely indefensible and outrageous'
Hackers stole personal data and tax identification numbers for every US federal employee, a union claims.
The Obama administration had acknowledged that up to 4 million current and former employees are affected by the December cyber breach of Office of Personnel Management (OPM) data, but it had been vague about exactly what was taken.
But J David Cox, president of the American Federal of Government Employees, said in a letter to OPM director Katherine Archuleta that based on incomplete information OPM provided to the union, "we believe that the Central Personnel Data File was the targeted database, and that the hackers are now in possession of all personnel data for every federal employee, every federal retiree, and up to 1 million former federal employees".
The OPM data file contains the records of non-military, non-intelligence executive branch employees, which covers most federal civilian employees but not, for example, members of Congress and their staff.
The union believes the hackers stole military records and veterans' status information, address, birth date, job and pay history, health insurance, life insurance, and pension information; and age, gender and race data, he said.
Senator Harry Reid, the Democratic Senate leader, said that the hack was carried out by "the Chinese" without specifying whether he meant the Chinese government or individuals. Mr Reid is one of eight politicians briefed on the most secret intelligence information. US officials have declined to publicly blame China, which has denied involvement.
The union, which does not have direct access to the investigation, said it is basing its assessment on "sketchy" information provided by OPM. The agency has sought to downplay the damage, saying what was taken "could include" personnel file information such as tax identification numbers and birth dates.
The tax identification numbers, known in the US as Social Security numbers are a key piece of information used to establish one's identity in the US.
"We believe that Social Security numbers were not encrypted, a cybersecurity failure that is absolutely indefensible and outrageous," Mr Cox said in the letter. The union called the breach "an abysmal failure on the part of the agency to guard data that has been entrusted to it by the federal workforce".
Samuel Schumach, an OPM spokesman, said that "for security reasons, we will not discuss specifics of the information that might have been compromised".
Schumach did, however, address Cox's comment on encryption.
"Though data encryption is a valuable protection method, today's adversaries are sophisticated enough that encryption alone does not guarantee protection," he said. "OPM does utilise encryption in some instances and is currently increasing the types of methods utilised to encrypt data."
The central personnel data file contains up to 780 separate pieces of information about an employee.
Mr Cox complained in the letter that "very little substantive information has been shared with us, despite the fact that we represent more than 670,000 federal employees in departments and agencies throughout the executive branch".