OPM Director Katherine Achulet
OPM Director Katherine Achulet testifies before a House subcommittee about the hack that has ravaged her department, and the government's cybersecurity reputation. Reuters/Jonathan Ernst

The U.S. Office of Personnel Management is investigating whether hackers obtained Social Security numbers on 18 million federal workers as part of the data breach that was first reported earlier this month. The hack, which has widely been blamed on China, also exposed a weak federal security network that's unable to stop sophisticated cyberattacks, experts said.

OPM Director Katherine Achulet said in a statement to the House Oversight Committee Wednesday that the government may have failed to protect nearly 20 million current and former employees' SSNs, maybe the most valuable piece of identification hackers use when stealing victims' identities.

It's the latest figure to come from the agency that first reported four million people had been affected, then that valuable security clearance information had also been taken. Achulet also mentioned that cyberthieves likely have information on government employees' relatives, which applicants must list when they apply for a federal job.

“It is my understanding that the 18 million [number] refers to a preliminary, unverified and approximate number of unique Social Security numbers in the background investigations data,” she said. “It is a number I am not comfortable with.”

Achulet's testimony came the day after current and former workers came forward to criticize the security system, known as Einstein, that the Office of Personnel Management relies on to protect itself from outsiders. To police the network, Einstein primarily trolls for previous forms of malware. It's still susceptible to zero-day attacks, which occur when hackers launch entirely new strains of malicious software.

Einstein first debuted under the Bush administration in 2004, though a number of federal agencies including the OPM have still failed to adopt updated versions of the software, according to the Wall Street Journal. Still, government sources said they hope Einstein will be updated and made capable of spotting intrusions before they become too devastating.

“I think Einstein -- in whatever iteration -- can probably be considered to be outdated technology,” Gus Coldebella, a former top lawyer in the Department of Homeland Security, told the Journal. “It’s better than nothing, but unless the bad guys are using something that’s already identified in Einstein, it’s not going to pick it up.”

RELATED STORIES
China Cybercrime