Hackers breached the systems of the United States government agency that collects personnel information for federal workers, in a massive cyber attack that compromised the data of about 4 million current and former employees.
A US law enforcement source said a foreign entity or government was believed to be behind the cyber intrusion against the Office of Personnel Management (OPM).
The Federal Bureau of Investigation said it had launched a probe and would hold the culprits accountable.
OPM detected new malicious activity affecting its information systems in April. The Department of Homeland Security said it concluded at the beginning of May that the agency's data had been compromised.
In a statement, Homeland Security said the data breach was discovered by the agency's EINSTEIN intrusion detection system, as developed by the US Computer Emergency Readiness Team (US-CERT).
Despite EINSTEIN, millions of employee records were siphoned off from the federal human resource agency's systems.
The breach affected OPM's IT systems and its data stored at the Department of the Interior's data centre, which is a shared service centre for federal agencies, a DHS official said on condition of anonymity. The official would not comment on whether other agencies' data had been affected.
OPM had previously been the victim of another cyberattack, as have various federal government computer systems at the State Department, the US Postal Service and the White House.
"The FBI is working with our interagency partners to investigate this matter," the bureau said in a statement. "We take all potential threats to public and private sector systems seriously, and will continue to investigate and hold accountable those who pose a threat in cyberspace.”
A law enforcement official, speaking on condition of anonmity, said the cyber attack was believed to have been launched from outside the United States, but would neither confirm nor deny that it had originated in China.
The US government has long raised concerns about cyber spying and theft emanating from China and has urged Beijing to do more to curb the problem. China has denied US accusations.
There was no immediate comment from the White House on the latest cyber attack.
Since the intrusion, OPM said it had implemented additional security precautions for its networks. It said it would notify the 4 million people affected and offer them credit monitoring and identity theft services.