U.S. officials said hackers in China launched a massive cyberattack on the federal agency responsible for collecting background information on, and issuing security clearances for millions of government employees.
The Office of Personnel Management (OPM) said Thursday as many as 4 million current and former federal employees may have been affected. It said that number could go higher as the investigation continues.
Law enforcement officials said they believe China-based hackers, possibly with links to the Chinese government, were behind the attack, believed to be the most extensive breach of federal employee data in years.
Accusations called 'irresponsible'
China said Friday that any allegations it was involved in breaking into U.S. government computers are irresponsible.
Chinese Foreign Ministry spokesman Hong Lei said at a regular news briefing that Beijing hopes the U.S. would be “less suspicious and stop making any unverified allegations, but show more trust and participate more in cooperation.”
“We know that hacker attacks are conducted anonymously, across nations, and that it is hard to track the source,” Hong said. “It's irresponsible and unscientific to make conjectural, trumped-up allegations without deep investigation.”
China's military is believed to have made cyber warfare capabilities a priority more than a decade ago. One of the few public announcements of the capabilities came in a May 25, 2011, news conference by Defense Ministry spokesman Geng Yansheng, in which he spoke of developing China's “online” army.
Zhu Haiquan, a Chinese embassy spokesman in Washington, said China outlaws cyber warfare, saying "jumping to conclusions and making hypothetical accusations is not responsible and counterproductive."
Representative Adam Schiff, the top Democrat on the House Intelligence Committee, said this attack is most shocking "because Americans may expect that federal computer networks are maintained with state of the art defenses."
An 'unusual' target
It would be somewhat uncommon for Chinese state-affiliated hackers to target the personal information of government employees, said Rob Pritchard, a cyber security specialist at the Royal United Services Institute.
As the human resources office of the U.S. federal government, OPM is seen as a high-value hacking target. Its computers store sensitive employee information such as social security numbers, payroll data, job descriptions, performance reviews and family information.
Such information could be of value either to criminals, who could sell the data for financial gain, or to state-sponsored hackers motivated by nationalistic concerns, Pritchard said.
"Not only do they now know who works in which government department, they also know something about them so they start to craft really good phishing emails which will get them to click on a link or open an attachment," he said.
FBI, DHS investigating
OPM said it detected the security breach in April before it took what it calls an "aggressive effort" to implement tougher controls. It said the Federal Bureau of Investigation and Department of Homeland Security are investigating to determine the full extent of the damage.
The FBI said it takes all threats to public and private sector cyber systems seriously and will hold those who make such threats accountable.
It is not clear if specific government employees were targeted or if the hackers simply swept up large amounts of employee data for later use. Officials also would not say what type of information was accessed or stolen.
OPM said it will notify all current and ex-federal employees whose information may have been compromised. The agency will offer those workers access to credit reports and monitoring, and identity theft recovery services at no cost.
Not the first attack
The OPM cyberattack may be the biggest, but is not the first time hackers gained access to federal government computer systems.
Unclassified computers at the White House and State Department have been hit. Twitter and YouTube accounts of the U.S. central military command were also struck earlier this year.
The Internal Revenue Service, which is responsible for tax collection, said last month that hackers stole information on 100,000 U.S. taxpayers.
Cyber warriors have also attacked such commercial giants as the Sony Pictures movie studio, Target and Home Depot stores, the EBay online auction site, and JP Morgan Chase bank.
Some of the attacks have been blamed on North Korea, Russia and China.
Experts say China is desperate to get its hands on U.S. industrial and trade secrets. China angrily denies the accusations and says it has been targeted by U.S. hackers.
The U.S. last year charged five Chinese military officers with hacking into and stealing trade secrets from the computers of several large American nuclear, metal and solar companies.
China denounced the indictment and suspended a series of discussions with the U.S. to combat cyber crimes.