A massive hack of government personnel files is being treated as the work of foreign spies who could possibly use the information to sneak their way into more-secure computers and plunder U.S. secrets.
Dan Payne, a senior counterintelligence official for the Director of National Intelligence, told federal employees Friday to change their passwords, put fraud alerts on their credit reports and watch for attempts by foreign intelligence services to exploit them.
"Some of you may think that you are not of interest because you don't have access to classified information," he said. "You are mistaken."
Federal officials said Friday the cyberattack appeared to have emanated in China, but did not point fingers directly at the Chinese government. The Chinese responded saying any accusation would be “irresponsible and unscientific.”
"We know that the attack occurred from somewhere in China, but we don't know whether it was an individual or a group or a nation-state attack," said Rep. Jim Langevin, a Rhode Island Democrat and leading voice in Congress on cybersecurity. He added, though that it had "all the hallmarks of a nation-state attack."
The White House spokesman Josh Earnest said he could not divulge much while the case will still being investigated. However, Earnest acknowledged of the “threat that is emanating from China.”
One U.S. official told The Associated Press the breach of data involving more than 4 million past and present federal workers was being investigated as a matter of national security. That suggests that another nation is believed to be behind the attack rather than an internet hacking gang.
The breach was an embarrassing showing for the U.S. government's vaunted computer-defense system for civilian agencies — dubbed "Einstein" — which is costing $376 million this year alone. It's supposed to detect unusual Internet traffic that might reflect hacking attempts or stolen data being transmitted outside the government.
The target for such a hack could be classified military secrets or economic strategy and internal foreign policy debates.
This latest breach occurred in December but wasn't discovered until April, officials say. It was made public Thursday.
"The scale of it is just staggering," said Rep. Adam Schiff, D-Calif., top Democrat on the House Intelligence Committee. There's no telling how many more attacks could be spawned by the information stolen in this case, he said.
Although most Americans think of identify thieves as stealing credit card information, the information about civilian federal workers has other value for spies.
"They're able to identify people who are in positions with access to significant national security information and can use personal data to target those individuals," said Payne, the counterintelligence official.
He said details from personnel files could be used to craft personalized phony messages to trick workers. Federal employees who think they're opening an email from co-workers or family members might infect their computers with a program that would steal more information or install spy software.
Spies could also use details about an employee’s interest to manipulate them into spilling government secrets.
Kevin Mitnick, a former hacker who now runs Mitnick Security Consulting of Las Vegas, called confidential details about federal employees "a gold mine."
"What's the weakest link in security?" Mitnick said. "The human. Now you know all about your target."
The hackers could have made off with even more information about workers who undergo security clearance checks. That information ranges from family names, neighbors, even old bosses and teachers, as well as reports on vices, arrests and foreign contracts.
However, OPM spokesman Samuel Schumach said there was no evidence to suggest that security clearance information collected by OPM was compromised. It's stored separately from routine personnel files, he said.
"The kind of data that may have been compromised in this incident could include name, Social Security Number, date and place of birth, job assignments, training files, performance ratings and current and former addresses," Schumach said in an email.
The breach occurred at a network maintained by the Department of Interior, which also houses the personnel agency’s files. Schumach said agencies share computer systems partly to save money.
Security experts say the hackers may have gone after the personnel agency because it is an easier target than the Pentagon or the National Security Agency.
Private cybersecurity researchers said they believe the personnel agency was targeted by the same hackers who got into the Anthem and Primera health insurance groups last year.
John Hultquist, head of cyberespionage intelligence at iSight, said the Dallas-based security firm had found evidence linking the insurance and government attacks, but declined to say whom they suspect. "We think they are creating a database they can leverage for follow-on espionage," Hultquist said.
A spokesman for the Director of National Intelligence declined to discuss whether there was evidence against China or whether intelligence agency employees were among those whose information was compromised.
U.S. investigators have improved their ability to attribute cyberattacks in recent years, officials said, and Chinese attacks often have identifiable signatures.
The Homeland Security Department noted that the Einstein defenses were just one part of the government's cybersecurity, and said it was used to confirm the breach. But that's like a smoke alarm sounding after the house burned down.
Einstein also helped understand how the break-in happened and protect against a repeat of a similar attempt.
"It didn't fare so well," said James Lewis, a leading cybersecurity expert at the Center for Strategic and International Studies, a Washington think-tank. "It's only a victory if you defeat the opponent, and we didn't."
The Associated Press contributed to this report