Hackers stole personnel data and Social Security numbers for every federal employee, a government worker union said Thursday, asserting that the cyber theft of U.S. employee information was more damaging than the Obama administration has acknowledged.
Sen. Harry Reid, the Democratic leader, said on the Senate floor that the December hack into Office of Personnel Management data was carried out by "the Chinese" without specifying whether he meant the Chinese government or individuals. Reid is one of eight lawmakers briefed on the most secret intelligence information. U.S. officials have declined to publicly blame China, which has denied involvement.
J. David Cox, president of the American Federation of Government Employees, said in a letter to OPM director Katherine Archuleta that based on the incomplete information the union received from OPM, "We believe that the Central Personnel Data File was the targeted database, and that the hackers are now in possession of all personnel data for every federal employee, every federal retiree, and up to one million former federal employees."
The OPM data file contains the records of non-military, non-intelligence executive branch employees, which covers most federal civilian employees but not, for example, members of Congress and their staffs.
The union believes the hackers stole military records and veterans' status information, address, birth date, job and pay history, health insurance, life insurance and pension information; and age, gender and race data, he said. The letter was obtained by The Associated Press.
The union, which does not have direct access to the investigation, said it is basing its assessment on "sketchy" information provided by OPM. The agency has sought to downplay the damage, saying what was taken "could include" personnel file information such as Social Security numbers and birth dates.
"We believe that Social Security numbers were not encrypted, a cybersecurity failure that is absolutely indefensible and outrageous," Cox said in the letter. The union called the breach "an abysmal failure on the part of the agency to guard data that has been entrusted to it by the federal workforce."
Samuel Schumach, an OPM spokesman, said that "for security reasons, we will not discuss specifics of the information that might have been compromised."
The central personnel data file contains up to 780 separate pieces of information about an employee.
Cox complained in the letter that "very little substantive information has been shared with us, despite the fact that we represent more than 670,000 federal employees in departments and agencies throughout the executive branch."
The union's release and Reid's comment in the Senate put into sharper focus what is looking like a massive cyber espionage success by China. Sen. Susan Collins, an intelligence committee member, has also said the hack came from China.
Mike Rogers, the former chairman of the House intelligence committee, said last week that Chinese intelligence agencies have for some time been seeking to assemble a database of information about Americans. Those personal details can be used for blackmail, or also to shape bogus emails designed to appear legitimate while injecting spyware on the networks of government agencies or businesses Chinese hackers are trying to penetrate.
U.S. intelligence officials say China, like the U.S., spies for national security advantage. Unlike the U.S., they say, China also engages in large-scale theft of corporate secrets for the benefit of state-sponsored enterprises that compete with Western companies. Nearly every major U.S. company has been hacked from China, they say.
The Office of Personnel Management is also a repository for extremely sensitive information assembled through background investigations of employees and contractors who hold security clearances. OPM's Schumach has said there is "no evidence" that information was taken. But there is growing skepticism among intelligence agency employees and contractors about that claim.
In the Senate on Thursday, Democrats blocked a Republican effort to add a cybersecurity bill to a sweeping defense measure. The vote was 56-40, four votes short of the number necessary.
Democrats had warned of the dangers of cyberspying after the theft of government personnel files, but Democrats voted against moving ahead on the legislation, frustrated with the GOP-led effort to tie the two bills together. President Barack Obama has threatened to veto the defense legislation over budget changes by the GOP.
"The issue of cybersecurity is simply too important to be used as a political chit and tucked away in separate legislation." said Sen. Chris Coons, D-Del.