The Massive Hack on US Personnel Agency is Worse Than Everyone Thought

Last week, the human resources arm of the US government, the Office of Personnel Management (OPM) admitted that it had been victim of a massive data breach, where hackers stole personal data belonging to as many as 4 million government workers.

From the get-go, it was clear that the hack was a big, dangerous deal, even though the US government has refused to clearly say—and might very well not even know—how much data was actually affected.

OPM handles all kinds of sensitive and highly personal information of US government workers, including social security numbers, as well as data on security clearance applications, and background checks.

But now it seems like it was even worse than we initially thought.

"The hackers are now in possession of all personnel data for every federal employee, every federal retiree, and up to one million former federal employees," read a letter sent by the American Federation of Government Employees (AFGE), and first reported on by the Associated Press on Thursday.

In the letter, according to the AP, AFGE's president said that "Based on the sketchy information OPM has provided" during internal OPM briefings, the hackers got their hands on a slew of sensitive data such as "military records and veterans' status information, address, birth date, job and pay history, health insurance, life insurance, and pension information; age, gender, race data."

And there's more. Apparently the hack went unnoticed for more than a year, according to anonymous sources cited by ABC News.

"If [only] they knew the full extent of it," a source briefed on the breach told ABC News.

According to the source, the breach affected OPM servers that stored forms filled out by government employees looking for security clearances. The information disclosed on these forms, according to experts, is "goldmine" for foreign spies, and "everything anyone would ever need for blackmail," since they can include full biographies, family members data and even information on the applicant's' social life, including embarrassing information on past "legal, private, sexual" troubles, according to John Schindler, a former professor of national security affairs at the US Naval War College.

These forms dig "into every aspect of your social and financial life," according to Chris Eng, the vice president of research at Veracode, who underwent a background investigation.

All this was probably thanks to OPM's lax, or downright awful, security practices, which various outlets, such as Ars Technica, have detailed over the weekend. Just to name one, the agency didn't even have an inventory of devices connected to its network, according to a report prepared last year OPM's Inspector General.

A spokesman for OPM did not answer to Motherboard's call requesting comment for this story.

In its press release disclosing the hack, OPM said protecting US government employees' data "is of the highest priority," yet this massive hack was actually not the first one that the agency suffered in less than a year.

Meanwhile, despite the fact that government officials have leaked to the press that China is behind the hack, anonymous hackers are claiming to be in possession of the data, and offering to sell it on the dark web. On Thursday, a hacker dumped up to 23,000 government emails and passwords, although it's not clear if the data comes from this OPM breach.

What's clear, however, is that this OPM breach is even more serious than everyone thought.