If you are one of the 20 million-plus people — including federal employees, contractors, job candidates and their family members — whose personal information was hacked and stolen from the Office of Personnel Management, you probably want the thieves captured and hauled off to prison.

Don’t hold your breath on that one.


The Theodore Roosevelt Building, headquarters of the U.S. Office of Personnel Management. Andrew Harrer/Bloomberg

A report from the Congressional Research Service says “criminal charges appear to be unlikely in the case of the OPM breach.”

While much of the July 17 report covers information already known, it also sheds light on the breadth, depth and danger of the hack that led to the resignation of Katherine Archuleta as OPM director.

Nothing in the report provides any comfort for victims of the breach.

Criminal charges are not likely if the heist was for espionage, as is the current thinking in the Obama administration, because “the United States deems counterintelligence to be an appropriate response,” the CRS report said. In other words, U.S. agents would hit back against the perpetrator and we’d probably never know about it.

James Clapper, the director of national intelligence, last month called China the “leading suspect” in the breach. On Tuesday, he told MSNBC’s “Andrea Mitchell Reports” that the theft was a “gold mine for a foreign intelligence service, whoever it was.”

[Watch the Clapper interview]

That gives Clapper reason to worry about his people.

“Dissemination of sensitive personnel files could damage the ability of clearance holders to operate with cover,” CRS warned, “and could open them up to potential exploitation from foreign intelligence agents.”

[The OPM cyberattack was a breach too far]

If the information were taken for commercial reasons, such as spying on companies or making bogus purchases, then the cops and the prosecutors would pursue criminal charges.

The United States has filed criminal charges against “known state actors for cyber economic espionage” only once, according to the CRS: in May 2014, over allegations that five members of China’s People’s Liberation Army engaged in commercial cyber espionage against U.S. companies and a labor organization.

Even if China or some other power hacked OPM’s data for espionage purposes, federal employees still are rightly concerned they could be personally injured by the theft, though so far the OPM data has not appeared “in the criminal underworld,” CRS said.

“In addition to being used by nation states, a trove of data from breaches such as those at OPM can provide a number of avenues for criminals to exploit,” according to the report. “For instance, compromised Social Security numbers and other personally identifiable information (PII) may be used for identity theft and financially motivated cybercrime, such as credit card fraud … even if data were stolen for non-criminal purposes, they could still fall into criminal hands.”

And there’s lots and lots of data to be had. For some, even fingerprints were stolen.

A second CRS report, issued Friday, listed the kind of data OPM collects on three standard forms for background investigation — the eight-page SF-85 for applicants to jobs that don’t require security clearances, the 11-page SF-85P for candidates seeking positions of significant public trust but not access to classified information and the 127-page SF-86 for national security positions.

All three forms require Social Security numbers. That’s like a key to a safe for identity thieves. The SF-86 asks for detailed data on the applicant’s financial condition, personal information of spouses, and details about “psychological and emotional health.” CRS said that OPM’s personnel investigation records also can include federal income tax returns but added that “it is unclear” if tax records were stolen.

Among those with the most reason to fret are those posted abroad.

The American Foreign Service Association said “the Foreign Service and their families face additional hardships over and above other federal employees affected by the breach due to the nature of the Foreign Service.” Those include:

  • Difficulty getting credit reports from abroad
  • Slower and more difficult notification to Foreign Service officers because they move frequently and OPM is less likely to have current addresses
  • The credit monitoring service form OPM provided has space to list just one passport, though most people in the Foreign Service have two, one for work and one for personal travel.

The theft of Foreign Service information “could compromise their ability to seek out, develop and maintain foreign contacts and the quality of those relationships,” said Susan R. Johnson, a Foreign Service officer and a past president of the American Foreign Service Association. “It could subject them to additional scrutiny and surveillance they otherwise might have avoided. Depending on the nature of the information, some employees may be seen as more susceptible to pressure or temptation.”

As bad as the current situation is, another attack could be worse.

Clapper predicted “the next type of attack will involve deletion or manipulation of data as opposed to perhaps stealing it or denying service.”

Be prepared for more bad news.

Staff writer Eric Yoder contributed to this report.