A cyber attack targeting the Office of Personnel Management in April may have compromised the personal information of more than 4 million current and former federal employees, the agency announced Thursday.
OPM said it is notifying all individuals whose personally identifiable information may have been compromised. “Since the investigation is on-going, additional PII exposures may come to light; in that case, OPM will conduct additional notifications as necessary,” the agency said in a press release.
The agency said it is offering credit report access, 18 months of credit monitoring, up to $1 million in identify theft insurance and recovery services to individuals who may have been affected at no cost.
“Protecting our Federal employee data from malicious cyber incidents is of the highest priority at OPM,” said OPM Director Katherine Archuleta. “We take very seriously our responsibility to secure the information stored in our systems, and in coordination with our agency partners, our experienced team is constantly identifying opportunities to further protect the data with which we are entrusted.”
Meanwhile, press reports citing unnamed government officials claim the Department of Interior has also been hacked and that the breach may impact every federal agency. FedScoop could not independently confirm these reports by press time.
OPM said it is working with the Department of Homeland Security and the FBI to investigate the breach.
An official withe the Interior Department said the department is working closely with OPM, DHS and the FBI as they investigate the incident but would not confirm if DOI had also suffered a breach. “We continue to be vigilant to ensure that necessary security measures are in place to further strengthen and protect agency, customer, and employee data,” the official said, speaking on condition of anonymity. “Interior is employing a comprehensive, multi-pronged remediation strategy to prevent, detect and act against malicious activity on our network in order to respond and recover following an incident. Central to this effort are measures to protect personnel data of our employees. Due to the ongoing nature of the investigation, we have no further comment at this time.”
“Since the intrusion, OPM has instituted additional network security precautions, including: restricting remote access for network administrators and restricting network administration functions remotely; a review of all connections to ensure that only legitimate business connections have access to the internet; and deploying anti-malware software across the environment to protect and prevent the deployment or execution of tools that could compromise the network,” the agency said in a statement.
News of the hack comes in the midst of an OPM effort to improve its cybersecurity protections. Two OPM contractors responsible for personnel background investigations suffered data breaches during the past year. Last August, Falls Church, Virginia-based USIS said a state-sponsored attack exposed information on up to 27,000 prospective government employees. In December, Fairfax, Virginia-based KeyPoint Government Solutions notified OPM of a breach that exposed information belonging to more than 48,000 government employees.