The Office of Personnel Management knew that its computer security system could be exploited by outside act, but the issue still wasn't spotted in time. The OPM is expected to roll out two-step authentication to better protect its networks.
It was still too late - tens of thousands of files were already stolen before the inspector general's report last November. After a breach was detected last summer, cybercriminals were able to launch a broader attack that likely began in December. So far, more than 4 million people have been exposed by the breach, and it's likely that number will rise.
Cybercriminals tend to be very patient while browsing compromised networks, especially organized cyber hackers. It's possible the OPM hack was carried out by those responsible for breaching Anthem, as personal information is lucrative.
"They didn't go to sell the data, which is what criminal groups usually do," said James Lewis, expert at the Center for Strategic and International Studies group, in a statement published by the New York Times. "It's biographic databases that really give an intelligence benefit - and that get into an opponent's skin."