Data stolen from U.S. government computers by suspected Chinese hackers included security clearance information and background checks dating back three decades, U.S. officials said on Friday, underlining the scope of one of the largest known cyber attacks on federal networks.
OPM officials declined to comment on whether payroll data was exposed other than to say that no direct-deposit information was compromised. They could not say for certain what data was taken, only what the hackers gained access to.
The disclosure by U.S. officials that Chinese hackers stole records of as many as 4 million government workers is now being linked to the thefts of personal information from health-care companies.
Forensic evidence indicates that the group of hackers responsible for the U.S. government breach announced Thursday likely carried out attacks on health-insurance providers Anthem Inc. and Premera Blue Cross that were reported earlier this year, said John Hultquist of iSight Partners Inc., a cyber-intelligence company that works with federal investigators.
Payday didn’t go as planned on January 2, 2014, for some Boston University employees. On that day, about a dozen faculty members discovered their paychecks hadn’t been deposited into their bank accounts. Thieves had changed the victims’ direct deposit information and rerouted their pay. BU’s IT security team traced the attack to a phishing email sent to 160 people at the university. The email – which prompted BU faculty to click on a link and confirm their log-in details – led to the compromise of 33 accounts. Thirteen faculty members had their paychecks stolen.
After BU warned faculty and staff of the paycheck heist, the attackers send another phishing attempt that played off BU’s warning and directed recipients to another bogus site. “The folks who sent the original message were actively watching us,” Shamblin said. “They coopted my authority for a second attack on my people.”
Meanwhile, 1,200 miles away, University of Iowa experienced similar attacks.
- See also NYT – Sharing Data, but Not Happily