Details of 4 million current and former US government employees may have been compromised by a hack found in April 2015. US law enforcement officials are saying this was done by the same Chinese hackers that attacked an insurance company, using a ‘zero-day’ vulnerability that allowed them access. The implication, for me, is that the data wasn’t encrypted. If strong encryption had been used there is less chance of it being useful, although it is of course still possible to decrypt anything given enough resources and time.
We must not forget that UK government agencies have not got a great track record in protecting information. There was a potentially worse incident in 2007 where personal details of 25 million people went missing. At least that data was password protected. There were no subsequent stories about large numbers of people suffering identity fraud so hopefully the discs were lost and didn’t get passed to criminals.
Update 8 June. It seems that the data wasn’t encrypted, and a former deputy under secretary for cybersecurity at the DHS was concerned about this.