The US government on Thursday admitted hackers accessed the personal data of at least four million current and former federal employees, in a vast cyber-attack suspected to have originated in China.
“As a result of the incident,” uncovered in April, the Office of Personnel Management said it “will send notifications to approximately four million individuals.”
It added that additional exposures “may come to light.”
The government’s personnel department handles hundreds of thousands of sensitive security clearances and background investigations on prospective employees each year.
It was not immediately clear whether the hack affected President Barack Obama, other senior government officials or the intelligence community.
The Washington Post and other US media cited government officials as saying that Chinese hackers were behind the breach.
But the Chinese embassy in Washington countered that such attacks would not be allowed under Chinese law.
“Jumping to conclusions and making hypothetical accusations is not responsible and counterproductive,” embassy spokesman Zhu Haiquan said.
“Chinese laws prohibit cyber crimes of all forms. China has made great efforts to combat cyber attacks in accordance with Chinese laws and regulations,” he added.
The FBI and Department of Homeland Security are said to be leading the investigation. The FBI in a statement said it “will continue to investigate and hold accountable those who pose a threat in cyberspace.”
Officials refused to assign attribution or motive, but pointed affected parties to measures that could prevent fraud and identify theft.
The government will, through a third party, offer $1 million in identity theft protection services at no cost.
“Protecting our federal employee data from malicious cyber incidents is of the highest priority,” Office of Personnel Management director Katherine Archuleta said.
Her agency said the intrusion may have begun late last year and “predated the adoption of the tougher security controls,” adding that government staff will be notified from June 8 if they are affected.
Latest in series of breaches
The new measures include restricting remote access, screening business connections and deploying anti-malware software.
It is just the latest in a series of major breaches that have shown the vulnerability of the federal government.
Last year Russian hackers are believed to have accessed unclassified computer systems at the White House and State Department.
Hackers stole information on 100,000 taxpayers from the online computers of the US Internal Revenue Service.
Obama has ranked China and Russia’s cyber-attack capabilities as “very good,” Iran’s as “good,” and North Korea’s as not “particularly good.”
China operates a vast security and surveillance apparatus, with the ruling Communist Party maintaining a resolute grip on power.
In a recent white paper, Beijing said it would “expedite the development of a cyber-force” within the People’s Liberation Army.
The United States has voiced an increasingly strident tone about cyber-attacks in recent months.
Admiral Michael Rogers, who heads the National Security Agency and US Cyber Command, has said that future attacks could prompt a response with conventional weapons.
In February, US Director of National Intelligence James Clapper said a steady stream of low-level cyber-attacks posed the most likely danger to the United States, rather than a potential digital “Armageddon.”
He said foreign “actors” are conducting reconnaissance and gaining digital access to US infrastructure systems, so they can launch a cyber-attack if necessary in the future.
There is growing concern that criminals, terror groups or spy agencies could target critical infrastructure such as power grids or air traffic control systems.
The Government Accountability Office warned in April of growing cyber threats against America and said the danger was “heightened by weaknesses in the federal government’s approach to protecting federal systems and information.”
The National Security Agency has reportedly been given wider powers to spy on Internet traffic in search of computer hacking by foreign governments or others.