For the second time in the past 12 months, the agency that acts as the human resources department for federal employees has been hacked. The U.S. Office of Personnel Management said on Thursday that it would be notifying 4 million current and former federal employees that hackers may have stolen their personally identifiable information from the agency’s systems.
The agency said it was in the process of installing new cybersecurity software (probably in response to last year’s hack) when it discovered this attack in April.
Since this latest attack, the agency added even more security, it said:
“Since the intrusion, OPM has instituted additional network security precautions, including: restricting remote access for network administrators and restricting network administration functions remotely; a review of all connections to ensure that only legitimate business connections have access to the internet; and deploying anti-malware software across the environment to protect and prevent the deployment or execution of tools that could compromise the network,” the agency said on its website.
It’s hard to understand why some of those measures weren’t already in place (deploying anti-malware software? restricting network admin functions?), if the stolen data is as important as federal officials say.
That’s particularly true given the concerns generated by last year’s attack, which involved systems used in reviewing employees security clearance applications, according to The New York Times. There was speculation at the time that hackers from China, perhaps at the direction of the Chinese government, were responsible as part of an effort to gather intelligence on Americans. Again, after Thursday’s hack was announced, government officials repeatedly told journalists off the record that China was behind this latest attack, though no evidence was offered.
Government employees will be offered credit monitoring and identity theft services, OPM said.
“Protecting our Federal employee data from malicious cyber incidents is of the highest priority at OPM,” said OPM Director Katherine Archuleta. “We take very seriously our responsibility to secure the information stored in our systems, and in coordination with our agency partners, our experienced team is constantly identifying opportunities to further protect the data with which we are entrusted.”