Data breach at OPM: Four million US government employee records may have been accessed

Hackers are said to have been based in China, but US should be concerned that data could be used to create cross-agency attacks

The Office of Personnel Management (OPM), a US federal agency, has been the target of a cyber attack in which up to four million former and current government employee records may have been breached.

The OPM is the human resources department for the federal government, and carries out checks for security clearances. Officials warned that the breach may have had an impact on every federal agency and have described the breach as among the largest known thefts of government data in history.

Susan Collins, a member of the Senate Intelligence Committee, suggested that the attack was thought to have derived from China, while anonymous sources mentioned in the New York Times and the Washington Post claimed that Chinese hackers were behind the breach.

But the Chinese embassy in the US called for the US government to not jump to conclusions.

Zhu Haiquan, a Chinese embassy spokesperson, told Reuters that the accusations were "not responsible and counter productive".

The federal agency was alerted to the breach after its cyber security system dubbed Einstein detected an intrusion in April 2015.

In a statement, the department of homeland security said:

"The FBI is conducting an investigation to identify how and why this occurred.

"DHS is continuing to monitor federal networks for any suspicious activity and is working aggressively with the affected agencies to conduct investigative analysis to assess the extent of this alleged intrusion."

At this moment, officials believe that information that may have been stolen included employee job assignments, performance reviews and training, but not background checks and clearance investigations.

Mark Bower, global director at HP Security Voltage, said that the attack was significant because the perpetrators are likely to have detailed personal information that could allow them to create cross-agency attacks.

"It's likely this attack is less about money, but more about gaining deeper access to other systems and agencies which might even be defence or military data, future economic strategy data, foreign political strategy, and sensitive assets of interest at a nation-state level for insight, influence and intellectual property theft."

The hack follows an attack on the Internal Revenue Service (IRS) that compromised the details of 10,000 taxpayers. The IRS believed that the catastrophic data breach it suffered was the work of hackers based in Russia.

John Koskinen, the IRS commissioner, told the Senate committee earlier this week that the attack was down to underfunding. He said that without the required funding the agency was struggling to keep up with sophisticated threats.