Updated June 11, 2015 9:55 p.m. ET
WASHINGTON—A union representing federal employees slammed the Office of Personnel Management’s response to a widespread hack of its data, calling the breach “an abysmal failure” on the part of the agency and contending that it was far worse than disclosed.
The American Federation of Government Employees alleged that the breach allowed hackers, believed by some U.S. officials to be based in China, to obtain “all personnel data for every federal employee, every federal retiree, and up to one million former federal employees.” The union said the stolen data include Social Security numbers, and believes that the data weren’t encrypted.
The allegations were made by J. David Cox, the union’s national president, in a letter to OPM Director Katherine Archuleta. Mr. Cox also expressed frustration that employees had trouble finding out the extent of the problem, saying they didn’t have “access to a living, breathing human being knowledgeable enough to answer questions.”
OPM has told employee unions it believes the hackers had access to the personnel records of 2.1 million current government employees, 1.1 million former employees and an additional 1 million retired employees. But some of the union executives said they believe the numbers could be larger than these estimates. The AFGE’s accusation would push the total number of exposed records much higher, suggesting that data on as many as six million or seven million people could have been compromised.
“For security reasons, we cannot discuss specifics of the information that might have been compromised. The investigation is ongoing and OPM is committed to conducting notifications as necessary,” an OPM official said Thursday.
Mr. Cox, in his letter, made clear his figures on the breach were fuzzy, something he blamed on the OPM itself. He said he had received “sketchy information” from the agency, making it difficult to ascertain the impact.
He said he believed the OPM’s “Central Personnel Data File” was hacked. The agency has numerous data networks, and it hasn’t identified which one was hacked. The Central Personnel Data File contains records for most federal civilian employees, the agency has said, and it has 69 different categories for each employee, ranging from Social Security numbers to disability records.
Mr. Cox said his union represents 670,000 employees in the government’s executive branch.
The OPM disclosed the breach last week, but four people familiar with the investigation said the breach was discovered during a mid-April sales demonstration at OPM by a Virginia company called CyTech Services. The company, trying to show OPM how its cybersecurity product worked, ran a diagnostics study on OPM’s network and discovered malware was embedded on the network. Investigators believe the hackers had been in the network for a year or more.
The OPM has said it would cover 18 months of credit monitoring for all affected current and former employees. Mr. Cox, in his letter, said the agency “owes employees free lifetime credit monitoring and liability insurance that covers the entirety of any loss attributable to the breach.”
Current and former U.S. officials briefed on the numerous investigations into the breach said it still wasn’t clear which data were exposed and how extensive the breach might have been. Some U.S. officials said they believe the OPM’s networks could have been penetrated as many as four times over the past two years, while others believe the agency could have experienced one breach two years ago that proved difficult to eradicate.
The White House has stopped short of identifying who perpetrated the breach, but at least two lawmakers briefed on the probe said they believe the hackers were based in China. Chinese government officials have denied the accusations.
Write to Damian Paletta at damian.paletta@wsj.com
WASHINGTON—A union representing federal employees slammed the Office of Personnel Management’s response to a widespread hack of its data, calling the breach “an abysmal failure” on the part of the agency and contending that it was far worse than disclosed.
The American Federation of Government Employees alleged that the breach allowed hackers, believed by some U.S. officials to be based in China, to obtain “all personnel data for every federal employee, every federal retiree, and up to one million former federal employees.” The union said the stolen data include Social Security numbers, and believes that the data weren’t encrypted.
The allegations were made by J. David Cox, the union’s national president, in a letter to OPM Director Katherine Archuleta. Mr. Cox also expressed frustration that employees had trouble finding out the extent of the problem, saying they didn’t have “access to a living, breathing human being knowledgeable enough to answer questions.”
OPM has told employee unions it believes the hackers had access to the personnel records of 2.1 million current government employees, 1.1 million former employees and an additional 1 million retired employees. But some of the union executives said they believe the numbers could be larger than these estimates. The AFGE’s accusation would push the total number of exposed records much higher, suggesting that data on as many as six million or seven million people could have been compromised.
“For security reasons, we cannot discuss specifics of the information that might have been compromised. The investigation is ongoing and OPM is committed to conducting notifications as necessary,” an OPM official said Thursday.
Mr. Cox, in his letter, made clear his figures on the breach were fuzzy, something he blamed on the OPM itself. He said he had received “sketchy information” from the agency, making it difficult to ascertain the impact.
He said he believed the OPM’s “Central Personnel Data File” was hacked. The agency has numerous data networks, and it hasn’t identified which one was hacked. The Central Personnel Data File contains records for most federal civilian employees, the agency has said, and it has 69 different categories for each employee, ranging from Social Security numbers to disability records.
Mr. Cox said his union represents 670,000 employees in the government’s executive branch.
The OPM disclosed the breach last week, but four people familiar with the investigation said the breach was discovered during a mid-April sales demonstration at OPM by a Virginia company called CyTech Services. The company, trying to show OPM how its cybersecurity product worked, ran a diagnostics study on OPM’s network and discovered malware was embedded on the network. Investigators believe the hackers had been in the network for a year or more.
The OPM has said it would cover 18 months of credit monitoring for all affected current and former employees. Mr. Cox, in his letter, said the agency “owes employees free lifetime credit monitoring and liability insurance that covers the entirety of any loss attributable to the breach.”
Current and former U.S. officials briefed on the numerous investigations into the breach said it still wasn’t clear which data were exposed and how extensive the breach might have been. Some U.S. officials said they believe the OPM’s networks could have been penetrated as many as four times over the past two years, while others believe the agency could have experienced one breach two years ago that proved difficult to eradicate.
The White House has stopped short of identifying who perpetrated the breach, but at least two lawmakers briefed on the probe said they believe the hackers were based in China. Chinese government officials have denied the accusations.
Write to Damian Paletta at damian.paletta@wsj.com
via Smart Health Shop Forum http://ift.tt/1cRC5gm
No comments:
Post a Comment