X

Hack affected every single federal employee, union says

A breach revealed last week affected more people and grabbed more personal information than previously announced, the American Federation of Government Employees said Thursday.

Laura Hautala Former Senior Writer
Laura wrote about e-commerce and Amazon, and she occasionally covered cool science topics. Previously, she broke down cybersecurity and privacy issues for CNET readers. Laura is based in Tacoma, Washington, and was into sourdough before the pandemic.
Expertise E-commerce, Amazon, earned wage access, online marketplaces, direct to consumer, unions, labor and employment, supply chain, cybersecurity, privacy, stalkerware, hacking. Credentials
  • 2022 Eddie Award for a single article in consumer technology
Laura Hautala
2 min read

Andrew Brookes/Getty Images

A December breach of government systems containing personal information of millions of federal employees was worse than originally thought.

A union of federal workers said Thursday that the attack, announced last week, had stolen confidential information of every single federal employee, past or present -- far more than was previously revealed. The government disputes those claims.

It's the latest in a spree of damaging hacks against the government, including an attack in March 2014 that also involved federal employee records.

Hackers acting in the name of a political agenda, and those paid by other countries, have stepped up their efforts to breach U.S. government systems for a variety of reasons. In some cases, they've hoped to embarrass President Barack Obama's administration, and in others they've made statements about the US military. Successful attacks include a group that breached the CIA's public website, another that took control of the US military's Twitter feed, and a group that successfully intercepted the president's emails.

In this case, if the union is correct, the hack would be the first to affect every employee of any organization or company.

The union's allegations come a few months after Obama promised the federal government would work with companies to protect people from hacks and identity theft. Obama's administration has since blamed Chinese hackers for the breach of federal employee information.

"We believe that hackers are have every affected person's Social Security number, military records and veterans' status information, address, birth date, job and pay history, health insurance, life insurance, and pension information; age, gender, race, union status, and more," American Federation of Government Employees President J. David Cox wrote in a letter to the US Office of Personnel Management. Worse, he wrote the Social Security numbers of employees don't appear to have been protected with encryption algorithms, a standard security measure for sensitive information. Cox called the lack of adequate security controls "absolutely indefensible and outrageous."

Jackie Koszczuk, a spokeswoman for the Office of Personnel Management, said in the Associated Press report that every current and retired federal employee's records were compromised was not correct.

The letter was first obtained by the Associated Press.

The attack was first revealed last week, when the government said the personal information of 4 million federal workers had been breached. The union said it believes "the hackers are now in possession of all personnel data for every federal employee, every federal retiree, and up to one million former federal employees," Cox wrote.

The government has pledged to notify each affected employee of the hack and offer services to help counter any abuse of their information.