Why Are Government Hacks Often Bigger Than First Disclosed?

The challenge of accounting for the damage reflects an outdated approach to cybersecurity.

Former OPM Director Katherine Archuleta testifies before the House of Representatives on the size of the agency's breach. (Jonathan Ernst / Reuters)

Updated on June 28 at 12:00 p.m.

The U.S. government sure has been getting hacked a lot.

In July 2014, The New York Times reported that Chinese hackers broke into the servers of the Office of Personnel Management (OPM), the agency that functions as a kind of government-wide human-resources department.

More than a year later, in May 2015, the Internal Revenue Service announced that more than 100,000 taxpayer accounts at the IRS had been breached.

Both would have been bad by themselves. But since then, the number of people affected by both of those hacks have grown.

  1. On June 5, 2015, the OPM announced it was hacked again. It said that “as many as 4 million people [had been] affected” in a different hack.

  2. On June 22, 2015, the OPM hack grew. CNN reported that it ensnared “an estimated 18 million current, former, and prospective employees … more than four times the 4 million publicly acknowledged.”

  3. On July 9, 2015, the OPM reported a third hack. “More than 21 million Social Security numbers” were accessed in that leak, we reported.“OPM said 1.1 million of the compromised files included fingerprints.”

  4. On August 17, 2015, the IRS hack grew. “The total size of the breach [is estimated] at 330,000 accounts.”

  5. On September 23, 2015, the OPM hack grew again. “The government now estimates that 5.6 million individuals had their fingerprints stolen,” we wrote.

  6. On February 26, 2016, IRS hack grew again. “A total of about 724,000 individuals may have had their personal information stolen by hackers,” we reported.

And just this week, OPM updated its frequently-asked-questions page to clarify information about who was affected by its most recent pair of data breaches: current and former federal workers, job applicants who underwent background checks—as well as the families and close contacts of all those groups.*

All this confusion has important consequences. The fact that this is how major hacks seem to work—that they’re unknown or undisclosed for long periods of time, only for the news to arrive in a slow drip of dreadful reports—complicates the attempts of people to understand them or follow them. It also makes it hard for someone to know whether they’re personally affected or what that means.

The difficulty of pinning down even the most basic details of critical hacks—what was actually stolen, the number of people affected—is the result of an outdated but still prevalent way of thinking about cybersecurity. For a long time, organizations have defended private information by fortifying their networks’ ramparts and posting sentries on their virtual walls, hoping to ward off hacker attacks from the outside. But now, most online-security experts say that IT departments should assume their organizations will get hacked at one point or another. By more carefully scanning for suspicious activity inside their own networks, organizations could catch intruders who may have sneaked past their external defenses. The defenders could kick the intruders out and survey the damage quickly and accurately. Any victims would know right away that their information was compromised—and be able to trust that the initial assessment won’t balloon in the following months.

But this new approach to cybersecurity will take time to implement. So will this list be continued? We’ll find out.

* This article originally misstated that OPM announced this week that more people were affected by the 2015 data breaches at the agency than it had previously reported. We regret the error.