On June 4, the Office of Personnel Management (OPM) announced that hackers working for the Chinese state had breached about four million records of current and former federal employees – the largest hack in recent years. The incident was the second major intrusion targeted at OPM by China and the second major breach against the U.S. by a foreign entity in recent months.

Although the breach was traced back to December, the agency first identified it April as a direct result of investments in its cybersecurity infrastructure.

But what do we know about the breach so far in terms of its true impact on employees, cybersecurity initiatives, and government policy? Here are eight facts that we know right now:

The Hack Went Undetected for Over 12 Months

According to an ABC news report, the data breach at OPM had been going on for some time. Although the official word from the government is that it all started in December, ABC suggests that the initial intrusion happened more than a year ago. This isn’t surprising. ZDNet reports that it takes most organizations over six months to detect data breaches giving hackers ample time to conduct surveillance and steal data. Furthermore, the breach pre-dated OPM’s adoption of tougher security controls.

More and More Employees Likely Impacted

New estimates puts the number of federal workers impacted by the breach at between nine and 14 million, much higher than the four million initially disclosed by the Obama administration.

Hackers Tried to Breach Other Networks First

Although the attack seemed contained to OPM’s servers, the attack could have been much worse. The same threat signature was detected trying to access other federal networks.

A 2nd Breach Exposed Highly Sensitive Background Check Data

While investigating the first breach, investigators found that another federal database was also compromised putting deeply personal information in hacker’s hands. While OPM confirmed that the original breach resulted in access to information such as social security numbers, job assignments, performance ratings, etc. the second attack exposed details gleaned during federal employee background checks such as mental illnesses, drug and alcohol use, past arrests, bankruptcies, and more.

Einstein Blocked Future Malicious Activity

As soon as the attack was reported to the FBI and the Department of Homeland Security, the latter’s Einstein cyber threat detection system was updated with information about the attack signature which allows agencies to block any future attacks. Einstein blocks known threats but doesn’t detect new ones, unless there is an associated threat signature.

Federal Workers Feel Betrayed and Frustrated by OPM Response

The Federal Times reports that federal workers who placed calls to the OPM hotline set up in the wake of the breach struggled to get through and when they did get were met by an automated message instead of a live operator. The faux pas has since been corrected, but reflects a level of unpreparedness when dealing with employee concerns.

In a similar vein, a poll conducted by Federal News Radio found that 82% of respondents were “very worried” about the breach. In addition, comments left on the Federal News Radio Facebook page summed up the sentiments of many: “”I feel betrayed. Not because they were hacked but because it took nearly 3 weeks for my employers to let me know,” said one reader. While another commented: “This is the 3rd time my data has been compromised by the Federal Government. Worried? No, I’m not worried. I am furious. Was the data encrypted as required by law? If not, when can we expect to see the criminal charges brought against those guilty of criminal malfeasance?

Feds Have 30 Days to Shore up Cybersecurity

30 days is not a long time, but that’s what Federal CIO, Tony Scott, has given agencies to improve their cybersecurity postures as a direct result of the breach. During this 30-day sprint, agencies are encouraged to patch vulnerabilities, work with Homeland Security to identify and mitigate threats, tighten use privileges and access controls, and accelerate the use of personal identity verification cards.

Lawmakers Call for More Cybersecurity Funding

Senators Mark Warner and Angus King are seeking more funding for OPM to help it continue and complete its cybersecurity upgrades, as well as to evaluate other methods. Equating cybersecurity with national defense, the Senators wrote to Congress saying: “As the keeper of sensitive data — including personally identifiable information for 32 million federal employees and retirees — OPM has a huge responsibility to maintain and consistently upgrade their cybersecurity controls.”