The hackers who broke into the systems of the Office of Personnel Management (OPM), the US government agency that handles all government employees' data, might have also got their hands on data belonging to non-government employees, including contractors and journalists.
On Monday, The Washington Post revealed that OPM has started notifying journalists who "are accredited by federal agencies" that hackers stole their personal data too, including social security numbers.
Journalists who cover government agencies, and need access to buildings such as the White House, need to go through a background check and give out personal data to OPM. The agency, however, doesn't seem to be sure how many journalists and non-government employees are among the victims.
"Many individuals, including reporters who need long-term access to federal buildings, may undergo a routine background check in order to obtain valid credentials," OPM spokesman Sam Schumach told The Washington Post. "It's entirely possible that those journalists who have a Social Security number in the system were in this group."
"It's entirely possible that those journalists who have a Social Security number in the system were in this group."
Schumach, as well as OPM, did not respond to Motherboard's repeated requests for comment.
Hackers suspected to be linked to the Chinese government broke into the agency in May of 2014, but OPM did not find out about the breach until the following year, and only announced it publicly in June of 2015. Initially, OPM also underestimated the damage, saying the hackers stole personal information of around 4 million workers. It quickly became clear that OPM wasn't really sure how much data the hackers got their hands on. And as it turned out weeks after the initial announcement, it was indeed much worse than initially thought. There were actually more than 21 million victims, and perhaps even 35 million.
Six months later, the victim tally for the OPM hack keeps growing.
"This story just keeps changing every fucking time doesn't it?" Michael Adams, an information security expert who served more than two decades in the US Special Operations Command and who was among the victims of the initial breach, told Motherboard.
"This story just keeps changing every fucking time doesn't it?"
Given that OPM systems interfaced with a lot of databases and servers, as security experts found when the breach was announced, it's likely that the hackers got very deep into US government networks, according to Adams.
"This is not just a single attack. These people, whoever they are, have a foothold in the network," Adams said, adding that this might still be just the tip of the iceberg. "Until proven otherwise, I believe this is a different hack."
Adams added that if he were in charge of these systems, he'd shut them all down to "clean" them and make sure the intrusion is "eradicated."
At this point it's unclear and where this new personal data comes from exactly. A senior journalist who works at the White House and has what's called as a "hard pass," meaning a security pass to access the press area of the White House, said that reporters need to pass a background and security check with the Secret Service to get this pass. It's unclear if this data is then handled by OPM. The Secret Service did not answer to a request for comment.
It's possible that, six months after admitting that it got hacked, OPM is still assessing the damage.
"Frankly, they don't have any idea of the breadth and depth of this attack," Adams said.
Last week, OPM announced in a press release that the agency finished mailing notices to 93 percent of the victims of the data breach, roughly six months after the hack was disclosed. But OPM still hasn't tracked down and notified more than one million victims, and some victims were only notified in recent weeks.
Given the last development in this seemingly endless saga, OPM might soon have to send out more notifications.