The Obama administration is scrambling to assess the impact of a massive data breach, suspected to have originated in China, involving the agency that handles security clearances and employee records, U.S. officials said Thursday.
U.S. officials told NBC News that, so far, the breach doesn't appear to be the "worst-case scenario" — compromise and disclosure of the identities of the covert CIA agents. But they said the breach — which exploited a "zero day" vulnerability, meaning one that was previously unknown — could be the biggest cyberattack in U.S. history, potentially affecting every agency of the U.S. government.
As many as 4 million current and former government employees will be sent notices beginning Monday that their personal information — including names, Social Security numbers and birthdates — might have been hacked at the Office of Personnel Management, or OPM, the agency that screens and hires federal workers and approves security clearances for 90 percent of the federal government, officials told NBC News.
"The ramifications are very serious," Susan Collins, R-Maine, a member of the Senate Intelligence Committee, told NBC News.
"Potentially 4 million former and current federal employees have had their information compromised, and because OPM is the agencies that holds security clearances, that's giving a potential enemy like China very valuable information," she said.
Zhu Haiquan, a spokesman for the Chinese Embassy, denied that China was involved, telling NBC News that "Chinese laws prohibit cyber-crimes of all forms." Coincidentally, this is National Cyber Security Awareness Week in China.
"Jumping to conclusions and making hypothetical accusations is not responsible and counterproductive," Zhu said.
The FBI is leading the investigation after OPM discovered the breach in April, before it took what it called an "aggressive effort" to establish stricter security controls, the agency said.
OPM said it was working with CERT — the Department of Homeland Security's Computer Emergency Readiness Team — and the FBI "to determine the full impact to federal personnel."
OPM said everyone who gets a notice will be provided with government assistance with credit reports and identity theft insurance. The Federal Trade Commission posted guidance Thursday evening for anyone who suspects his or her data might have been compromised.
Lawmakers said the new breach was further proof that it's time for the U.S. to take strong action to harden its computer networks.
"If a foreign country can invade OPM, apparently pretty easily, and steal the data of 4 million federal employees, just think what a determined adversary could do to our critical infrastructure," Collins said. "They could cause widespread death and destruction, and that's what I'm most worried about."
She added: "We should have passed a bill years ago, and I don't know how many more breaches our country has to witness before we finally pass a tough cybersecurity law."
Adam Schiff, D-California, the top Democrat on the House Intelligence Committee, called the new attack "most shocking because Americans may expect that federal computer networks are maintained with state-of-the-art defenses."
Schiff added: "It's clear that a substantial improvement in our cyber-databases and defenses is perilously overdue."
Richard Burr, R-North Carolina, chairman of the Senate Intelligence Committee, agreed, saying, "We cannot continue to look the other direction."
"Our response to these attacks can no longer simply be notifying people after their personal information has been stolen," Burr said. "We must start to prevent these breaches in the first place."