A U.S. law enforcement source told Reuters a foreign entity or government was believed to be behind the cyber intrusion against the Office of Personnel Management (OPM), and media reports said authorities suspected it originated in China.
The Federal Bureau of Investigation said it had launched a probe and would hold the culprits accountable.
OPM detected new malicious activity affecting its information systems in April and the Department of Homeland Security said it concluded at the beginning of May that the agency's data had been compromised.
The breach affected OPM's IT systems and its data stored at the Department of the Interior's data center, which is a shared service center for federal agencies, a DHS official said on condition of anonymity. The official would not comment on whether other agencies' data had been affected.
OPM had previously been the victim of another cyberattack, as have various federal government computer systems at the State Department, the U.S. Postal Service and the White House.
"The FBI is working with our interagency partners to investigate this matter," the bureau said in a statement. "We take all potential threats to public and private sector systems seriously, and will continue to investigate and hold accountable those who pose a threat in cyberspace.”
A law-enforcement official, speaking on condition of anonmity, said the cyber attack was believed to have been launched from outside the United States, but would neither confirm nor deny that it had originated in China.
The U.S. government has long raised concerns about cyber spying and theft emanating from China and has urged Beijing to do more to curb the problem. China has denied U.S. accusations.
There was no immediate comment from the White House on the latest cyber attack.
Since the intrusion, OPM said it had implemented additional security precautions for its networks. It said it would notify the 4 million people affected and offer credit monitoring and identity theft services to the people affected.
"The last few months have seen a series of massive data breaches that have affected millions of Americans," U.S. Rep. Adam Schiff, the ranking Democrat on the House Permanent Select Committee on Intelligence, said in a statement.
But he called the latest intrusion "among the most shocking because Americans may expect that federal computer networks are maintained with state of the art defenses."
"It's clear that a substantial improvement in our cyber databases and defenses is perilously overdue," Schiff added.