Earlier this month, China admitted for the first time publicly that the data privacy breach of the U.S. Office of Personnel Management's computer systems was the work of Chinese hackers. However, China insisted that these attacks were the work of criminals, not a state-sponsored attack. There has been no information released about any identifying details of these criminals.
That last point is something that some in the U.S. have debated. The sophistication and length of the attack give some doubt to the rouge criminal theory. Also, the financial information has not been used for fraud, which is atypical of a criminal data breach.
The data privacy breach itself was massive and extremely sophisticated. In fact, the breach went on for over a year before it was even discovered. It involved the security-clearance forms of millions of federal employees, veterans, contractors and others. These forms include information about health, finances and other Personally Identifiable Information (PII) for 19.7 million people who underwent government background checks in the last 15 years, as well as 1.8 million other people such as spouses and friends.
The data privacy breach was so large, in fact, that the Office of Personnel Management is still trying to notify all of the victims.
Overall, this is one of the larger breaches in U.S. history and exposed millions of U.S. citizens PII to China. What is being done with this information is yet to be seen.
From a records management point of view, although it may be impossible to prevent a breach from ever happening, it is critical to have a solid information governance strategy to limit exposure and separate sensitive records from everyday documents. Involving every department ensures that any information that could be deemed sensitive is considered in the overall plan. Managing every record properly and proactively will improve efficiency, control costs and reduce risk.