YOKOTA AIR BASE, Japan — The Office of Personnel Management has started informing millions of federal employees that it may have lost control of their personal information in a data breach discovered earlier this month.
Hackers, who unnamed U.S. officials say have ties to the Chinese government, appear to have broken into the computer system run by OPM and compromised the personal information of up to 14 million government and military employees, according to The Associated Press.
A message from DoD’s chief information officer sent Monday to U.S. personnel in Japan said OPM has begun notifying about 4 million federal civilians who may have been victims of the breach.
“This incident affects current and former federal, including DoD, personnel,” the message said.
Military records were not part of the data breach, and the only contractors who may have been affected are those who previously held federal civilian positions, the message said.
U.S. personnel stationed in Japan started receiving notification emails over the weekend saying their information may have been compromised.
The agency “recently became aware of a cybersecurity incident affecting its systems and data that may have exposed your personal information,” OPM Chief Information Officer Donna K. Seymour said in an email received Saturday. Compromised data may include people’s names, social security numbers, dates and places of birth and current or former addresses, she said.
“OPM takes very seriously its responsibility to protect your information,” Seymour said in the email. “While we are not aware of any misuse of your information, in order to mitigate the risk of potential fraud and identity theft, we are offering you credit monitoring service and identity theft insurance through CSID, a company that specializes in identity theft protection and fraud resolution.”
Affected individuals will receive a complimentary 18-month subscription to CSID Protector Plus, a service that monitors the Internet and public records for evidence of identity theft. Those affected, regardless of whether or not they enroll in CSID’s service, will get $1 million of identity-theft insurance through Dec. 7, 2016.
However, Seymour added that her message doesn’t mean OPM or the U.S. government accepts liability for losses that might occur from the data breach. Any alleged issues of liability are determined solely in conformance with appropriate federal law, she said.
Employees should note that neither OPM nor any company acting on its behalf will contact them to confirm personal information, Seymour said.
“If you are contacted by anyone purporting to represent OPM and asking for your personal information, do not provide it,” she said.
Monday’s message from DoD’s chief information officer said OPM started email notifications June 8 but that DoD suspended them after recognizing “the inherent security concerns in this methodology.”
DoD notifications were suspended until an improved, more secure notification and response process was in place, the message said.