UPDATED: June 4, 2015 6:59 p.m.
WASHINGTON — Approximately 4 million current and former federal employees are affected in a massive data breach involving the federal agency that handles security clearances and employee records.
A congressional aide familiar with the situation, who declined to be named because he was not authorized to discuss it, says the Office of Personnel Management and the Interior Department were hacked. A second U.S. official who also declined to be identified said the data breach could potentially affect every federal agency.
The White House was considering a public announcement of the breach Thursday night or Friday morning, the second official said.
The U.S. Office of Personnel Management says it identified a cyber-intrusion affecting its information technology systems and data this April.
“Within the last year, the OPM has undertaken an aggressive effort to update its cybersecurity posture, adding numerous tools and capabilities to its networks,” OPM said in a statement on its website. “The intrusion predated the adoption of the tougher security controls.”
OPM is working with the Department of Homeland Security and the FBI to investigate the full impact of the breach.
The agency says it will send notifications to the 4 million people whose information may have been compromised beginning Monday, June 8 through June 19. It will also offer free credit monitoring and identity theft protection to those employees.
J. David Cox, the president of the American Federation of Government Employees, issued the following statement:
This evening we learned that the personal information of all 2.1 million current federal employees and an additional 2 million federal retirees and former federal employees may have been compromised during a Chinese cyberattack in April. The attack targeted personnel records of federal employees and retirees maintained on computers by the Office of Personnel Management. AFGE is working closely with the Administration to determine the extent of the breach and explore ways to remediate it. We will work with the Administration to ensure that all available measures be taken to secure the personal information of all affected employees, and that these measures be implemented as soon as possible. AFGE will demand accountability and will take every necessary step to see that the interests and security of the nearly 700,000 people we represent are addressed.
The president of the National Treasury Employees Union, Colleen Kelley, also released a statement:
NTEU is very concerned about a breach by computer hackers of a range of federal-employee data held by the Office of Personnel Management (OPM). Data security, particularly in an era of rising incidence of identity theft, is a critically important matter. NTEU was briefed by OPM late today and has shared the available information with its chapters. NTEU will continue to urge OPM to share all available information with us as the situation develops. NTEU will encourage its members to sign up for the credit monitoring as soon as possible, follow all advice such as placing fraud alerts with credit bureaus and carefully monitoring activity for evidence of fraud and identity theft. It is vital to know as soon as possible the extent to which, if any, personal information may have been obtained so that affected employees can be notified promptly and encouraged to take all possible steps to protect themselves from financial or other risks.
OPM has issued the following guidance to affected individuals:
–Monitor financial account statements and immediately report any suspicious or unusual activity to financial institutions.
–Request a free credit report at http://www.AnnualCreditReport.com or by calling 1-877-322-8228. Consumers are entitled by law to one free credit report per year from each of the three major credit bureaus – Equifax®, Experian®, and TransUnion® – for a total of three reports every year. Contact information for the credit bureaus can be found on the Federal Trade Commission (FTC) website, http://www.ftc.gov.
–Review resources provided on the FTC identity theft website, http://www.identitytheft.gov. The FTC maintains a variety of consumer publications providing comprehensive information on computer intrusions and identity theft.
–You may place a fraud alert on your credit file to let creditors know to contact you before opening a new account in your name. Simply call TransUnion® at 1-800-680-7289 to place this alert. TransUnion® will then notify the other two credit bureaus on your behalf.
How to avoid being a victim:
–Be suspicious of unsolicited phone calls, visits, or email messages from individuals asking about employees or other internal information. If an unknown individual claims to be from a legitimate organization, try to verify his or her identity directly with the company.
–Do not provide personal information or information about your organization, including its structure or networks, unless you are certain of a person’s authority to have the information.
–Do not reveal personal or financial information in email, and do not respond to email solicitations for this information. This includes following links sent in email.
–Do not send sensitive information over the Internet before checking a website’s security (for more information, see Protecting Your Privacy, http://www.us-cert.gov/ncas/tips/ST04-013).
–Pay attention to the URL of a website. Malicious websites may look identical to a legitimate site, but the URL may use a variation in spelling or a different domain (e.g., .com vs. .net).
–If you are unsure whether an email request is legitimate, try to verify it by contacting the company directly. Do not use contact information provided on a website connected to the request; instead, check previous statements for contact information. Information about known phishing attacks is also available online from groups such as the Anti-Phishing Working Group (http://www.antiphishing.org).
–Install and maintain anti-virus software, firewalls, and email filters to reduce some of this traffic (for more information, see Understanding Firewalls, http://www.us-cert.gov/ncas/tips/ST04-004; Understanding Anti-Virus Software, http://www.us-cert.gov/ncas/tips/ST04-005; and Reducing Spam, http://www.us-cert.gov/ncas/tips/ST04-007).
–Take advantage of any anti-phishing features offered by your email client and web browser.
–Employees should take steps to monitor their personally identifiable information and report any suspected instances of identity theft to the FBI’s Internet Crime Complaint Center at http://www.ic3.gov.
The Office of Personnel Management is the human resources department for the federal government, and issues security clearances.
Follow WNEW on Twitter
(TM and Copyright 2015 CBS Radio Inc. and its relevant subsidiaries. CBS RADIO and EYE Logo TM and Copyright 2015 CBS Broadcasting Inc. Used under license. All Rights Reserved. This material may not be published, broadcast, rewritten, or redistributed. The Associated Press contributed to this report.)