“They didn’t go to sell the data, which is what criminal groups usually do,” James Lewis of the Center for Strategic and International Studies told The New York Times. The government and outside experts think that, along with the fact that the leak targeted government employees suggest an elaborate effort to build a huge database of information on federal employees. The data reportedly cover employees going back as far as 1985, and includes information on employees who applied for security clearances.

How did they do it, though? The government has a large, costly, sophisticated, and mostly secret system for protecting its data. But that system is, even according to the government, obsolete. It follows an old protocol of attempting to keep hackers outside, like a fence. Newer systems assume hackers will get through the outside defense and try to stop them once they’re inside.

The U.S. had been warned that it wasn’t ready in an inspector general’s report late last year. By the time the report landed, it was apparently too late, but many of the steps it recommended still haven’t been taken