WASHINGTON — The massive hack last year of the Office of Personnel Management’s system containing security clearance information affected 21.5 million people, including current and former employees, contractors and their families and friends, officials said Thursday.
That is in addition to a separate hack — also last year — of the Office of Personnel Management’s personnel database that affected 4.2 million people. That number was previously announced.
Together, the breaches arguably comprise the most consequential cyber intrusion in U.S. government history. Administration officials have privately said they were traced to the Chinese government and appear to be for purposes of traditional espionage.
The 21.5 million figure includes 19.7 million individuals who applied for a background investigation, and 1.8 million non-applicants, predominantly spouses or people who live with the applicants. Some records also include findings from interviews conducted by background investigators, and about 1.1 million include fingerprints, officials said.
Individuals who underwent a background investigation through the Office of Personnel Management in 2000 or afterwards are “highly likely” affected, officials said. Background checks before 2000 are less likely to have been affected, they said.
The lapse enabled hackers to gain access not only to personnel files but also personal details about millions of individuals with government security clearances — information a foreign intelligence service could potentially use to recruit spies.
Because the exposed records included information on individuals who served as references on security clearance applications, U.S. official said that stolen data includes details on certain employees’ relatives and friends.
Wednesday’s announcement only seemed to strengthen Republican calls on Capitol Hill for Office of Personnel Management Director Katherine Archuleta and her chief information officer, Donna Seymour, to resign.
“Since at least 2007, OPM leadership has been on notice about the vulnerabilities to its network and cybersecurity policies and practices,” Rep. Jason Chaffetz, R-Utah, chairman of the House Oversight and Government Reform Committee, said in a statement.
“Their negligence has now put the personal and sensitive information of 21.5 million Americans into the hands of our adversaries,” Chaffetz said. “Such incompetence is inexcusable. Again, I call upon President Obama to remove Director Archuleta and Ms. Seymour immediately.”
The intrusion upon the Office of Personnel Management’s system containing security clearance data took place in June or early July of 2014, officials said. In December, a separate Office of Personnel Management database containing personnel records was also hacked, affecting 4.2 million current and former employees.
In both cases, officials said, the hackers worked for the Chinese government, although the Obama administration has not formally accused Beijing. “It is an enormous breach, and a huge amount of data that is personal and sensitive … was available to adversaries,” FBI Director James Comey said at a Senate Intelligence Committee hearing Wednesday.
“We’re talking about millions and millions of people affected by this,” he said. “I’m sure the adversary has my SF86 now,” referring to the Standard Form 86, which all applicants for security clearances must fill out.
He noted it lists “every place I’ve lived since I was 18, every foreign trip I’ve taken, all of my family and their addresses. … I’ve got siblings. I’ve got five kids. All of that is in there.”
Said Comey: “It is a huge deal.”
At a roundtable with reporters on Thursday, Comey called the heist a “treasure trove of information.”
Just imagine, he said, “if you were a foreign intelligence service and you had that data — how it would be useful.”
Not every spy’s data is in the system. The CIA conducts its own security clearance investigations and keeps that data to itself. Even so, some U.S. officials have said that a foreign spy service might be able to identify U.S. intelligence operatives by comparing stolen Office of Personnel Management records with rosters of U.S. personnel at embassies overseas.
Names that appear on U.S. embassy lists but are missing from the Office of Personnel Management files might enable a foreign intelligence service with sophisticated computer capabilities to identify CIA operatives serving overseas under diplomatic cover.
“That’s not conclusive that the person might be undercover CIA,” said one official, who requested anonymity to discuss a sensitive topic.”But it’s certainly worth taking a look at.” Such are the concerns that some officials have about the lack of security over the government’s data systems. “This is something that we must do better at defending against, because you can’t really blame our adversaries for trying to get this information,” the official said. “It’s really about how do we defend against it.” The Office of Personnel Management has been under fire for the breaches.
Office officials have defended the agency, saying that it was only because of a strategic plan put in place by Archuleta shortly after she became director in November 2014 that the breaches were discovered.
“There are certainly some people I would like to see given the boot for not paying attention to cybersecurity, but Katherine Archuleta is not one of them,” said one administration official, requesting anonymity to discuss personnel issues. Maybe they didn’t move as fast as they should have but they were at least moving in the right direction and were prioritizing it in an agency that didn’t think of itself as having a security mission.”
It has taken weeks for the agency to come up with the number, in large part because of the difficulty, officials say, of reviewing data contained in numerous computers that make up the background check system. Many of the computers are antiquated. There were many instances of names being duplicated — sometimes because someone was listed as a reference in several background checks as well as having their own clearance.
Employees are angry and two class action lawsuits have been filed against the agency and Archuleta.
The White House has been discussing possible response options, to include covert actions that would not be publicly announced. Among the options on the table, officials said, is economic sanctions. President Barack Obama recently signed an executive order creating a sanctions tool to punish cyber attacks and cyber economic espionage.
However, some U.S. officials caution against taking actions against foreign states when the cyber theft is conducted for traditional spying motives. The United States has not officially named China or the motive, but privately officials say it appears China was conducting a form of traditional espionage. The data taken does not appear to fall into the category of intellectual property or commercial secrets that can be used to benefit another country’s industry.
“I think we have to be careful about the importance of continuing to draw a line between theft for economic advantage and traditional foreign intelligence activities, which may look untraditional now that they’re in the cyber realm,” said Rep. Adam Schiff, D-Calif., a member of the House Intelligence Committee. “We want to draw a bright line” that hacking for economic benefit “is a violation of international norms.”
If the United States blurs the line between economic spying and foreign intelligence spying, “we risk undermining the fight against economic theft.”
The government has already begun taking steps to mitigate the damage in the intelligence and counterintelligence arena, Schiff said. “We’re going to be doing that for years, in terms of the whole range of steps that we’ll have to take to protect our people and our sources and methods.”
He added: “the consequences will be very far-reaching.”