The government is investigating a “massive data breach.”
The US Government agency that handles all federal personnel data has suffered what the Associated Press described as a "massive data breach" that "could potentially affect every federal agency."
The Office of Personnel Management (OPM), the government's human resource department that handles security clearances and federal employee records, disclosed the hack in a press release on Thursday.
The agency said that in April of 2015 it had identified "a cybersecurity incident potentially affecting personnel data for current and former federal employees, including personally identifiable information," although the breach is only being disclosed now. OPM alsos said that it will notify around 4 million people whose personal information "may have been compromised"—although the number is likely to grow since the investigation is ongoing.
To protect employees from identity theft, OPM is giving them free "credit report access, credit monitoring and identify theft insurance and recovery services," according to the press release.
"Protecting our Federal employee data from malicious cyber incidents is of the highest priority at OPM," OPM Director Katherine Archuleta said in a statement.
This is not the first time that the OPM got hacked.
Yet, this is not the first time that the OPM got hacked. In July of last year, Chinese hackers reportedly broke into the agency's computers to steal files related to government employees.
The FBI and the U.S. Department of Homeland Security's Computer Emergency Readiness Team (US-CERT) are investigating the incident along with OPM, the agency said.
"We take all potential threats to public and private sector systems seriously, and will continue to investigate and hold accountable those who pose a threat in cyberspace," an FBI spokesperson told Motherboard in a statement.
Unnamed government officials said the hackers are believed to be based in China, according to The Wall Street Journal. Details are so scarce that it is too early to say where the attack originated, however.
The OPM declined to share more details beyond what's disclosed in the press release.
For experts, the breach isn't very surprising.
"There is a general notion that government agencies unilaterally have their act together when it comes to protecting their information assets," Jay Kaplan, the founder of security firm Synack, and a former NSA analyst, told Motherboard. "This is fundamentally false."
Kaplan also said that data held by OPM is "extremely sensitive" and its loss "could put key government employees that wish to remain anonymous at risk."
This story has been updated to add comments form Jay Kaplan.