Union Says Every Federal Employee’s Social Security Number Was Compromised in Hack

We should have known.

A week ago, government officials said that the Office of Personnel Management and some other agencies had suffered extensive hacks. They estimated that roughly 4 million current and former federal employees had been affected. Now the American Federation of Government Employees, a major government union, says that the number is much higher and that the breach affects “every federal employee, every federal retiree, and up to one million former federal employees.”

The Associated Press obtained a letter the union wrote to OPM criticizing how the agency has handled the situation. J. David Cox, the president of the union, wrote, “We believe that Social Security numbers were not encrypted, a cybersecurity failure that is absolutely indefensible and outrageous.”

OPM reports that in 2014 there were 4.185 million civillian federal employees. However, the American Federation of Government Employees says that military records and information about veterans’ statuses were also stolen. So if the union is correct that current, retired, and former employees are affected plus the military, then the total number of people impacted is millions higher than the original government estimate of 4 million. The union says its assessment is based on internal OPM briefings.

Additionally, government officials told ABC News that the hackers had server access for more than a year, much longer than the administration originally described. After infiltrating, the intruders moved through four “segments” of the OPM network.

The Hill reports that OPM is paying $20 million to identity protection company CSID so government employees can have credit and identity monitoring for 18 months. But another large union, the National Federation of Federal Employees, says that many of its members haven’t been contacted with information or resources yet, and that CSID only provides automated customer service, not the ability to contact a representative.

Union president William Dougan told the Hill, “We want to start seeing real answers to the legitimate and numerous concerns of exposed federal employees. … While we understand there is immense complexity with reviewing a cyberattack, the response to this point has been inadequate.”

The hack is still being unofficially attributed to the Chinese government (including by Sen. Harry Reid), though the administration has not said that China is the suspect. The Chinese government denies any involvement.

The Wall Street Journal reports that OPM discovered the breach while being pitched on a new cybersecurity product. A security firm, CyTech Services, was showing off its platform CyFIR and ran a sample diagnostics on the OPM network. But instead of acting as a fun demo, the scan revealed suspicious malware.

Speaking about the breach on Tuesday, Rep. Devin Nunes, R-Calif., the chairman of the House Permanent Select Committee on Intelligence, said, “We don’t know what we don’t know, which is a real concern.” Yup.

Update, June 12, 2015, 5:15 p.m.: The Associated Press reports that officials are describing a sort of “second hack” related to the OPM breach that specifically affects intelligence and military personnel. The compromised data reveals security clearance information plus personal details about employees’ potential histories of mental illness, substance use, financial troubles, and arrest records. The records also contain lists of foreign relatives, social security numbers, and the SSNs of cohabitants. Government officials had previously said that security clearances and background checks were not compromised.