If those are indeed the files the hackers got, that means they know all federal employees':
- birth dates
- gender and race
- Social Security numbers
- job and pay history
- military records and veterans' status
- health insurance, life insurance and pension information
We now know hackers also had access to thousands of investigative files for federal employees and contractors applying for security clearances. Those exhaustive investigations dig into employees' personal lives in excruciating detail and list pretty much every bad thing a person has done, from drugs and illegal activities to gambling and financial problems to relationship troubles.
But hackers possibly got access to all that in December, and it was reportedly discovered in April. The government told the public about it in June, when the story broke.
And when you get hacked, waiting to share the news is exactly what you're not supposed to do. That's according to ... the government itself.
Last year, Congress debated making federal guidelines requiring American companies to report customer data breaches (I know, it's tough to believe there aren't any already).
In a February 2014 hearing on the subject, senators blasted companies, such as Target and Neiman Marcus, for not telling customers right away there was a possibility that their credit card information had been hacked.
“The public notification is always vague; it is non-specific," Sen. Dianne Feinstein (D-Calif.) said.
Federal Trade Commission head Edith Ramirez even said in that hearing that there should be some kind of rule requiring prompt notification of a hack:
“Never has the need for legislation been greater. With reports of data breaches on the rise, and with a significant number of Americans suffering from identity theft, Congress needs to act.”
It appears the government didn't take its own advice.
It's not clear why the government waited to tell employees their information had been compromised. A Department of Homeland Security official told congressional staff it takes several weeks for officials to even understand what happened.
On Friday, Nakashima reported a U.S. official speaking on condition of anonymity said the government did tell employees in a prompt manner:
The administration timed its announcement last week to comply with its own policy, as reflected in proposed legislation, to notify individuals of a breach within 30 days of determining that there is a “reasonable basis to believe” that people’s personal information has been compromised, the U.S. official said.
But when hackers stole 40 million customer credit and debit cards from Target during the 2013 December holiday rush, the company waited a week before notifying customers -- and got in trouble from Congress for the delay.
When the government's December hack was made public last week, it said it had plans to "notify about 4 million current and former federal employees that their personal data may have been compromised."
The December hack was also the second time in 2014 that hackers breached sensitive government data on federal employees.
In March, Chinese hackers allegedly got access to similar personnel files, including security clearance information. The public found out about that hack when the story broke in July of last year.
There's been a push in Congress in recent years to make it a crime not to report major hacks ASAP. Rep. John Conyers (D-Mich.) has introduced the Cyber Privacy Fortification Act every year since 2012. It has yet to get a vote.
This post has been updated to reflect new information about the security breach.