The Chinese breach of the Office of Personnel Management network was wider than first acknowledged, and officials said Friday that a database holding sensitive security clearance information on millions of federal employees and contractors also was compromised.
In an announcement, OPM said that investigators concluded this week with “a high degree of confidence” that the agency’s systems containing information related to the background investigations of “current, former and prospective” federal employees, and others for whom a background check was conducted, were breached.
OPM is assessing how many people were affected, spokesman Samuel Schumach said. “Once we have conclusive information about the breach, we will announce a notification plan for individuals whose information is determined to have been compromised,” he said.
The announcement of the hack of the security-clearance database comes a week after OPM disclosed that another personnel system had been compromised. The discovery of the first breach led investigators to find the second — all part of one campaign by the Chinese, U.S. officials say, evidently to obtain information valuable to counterespionage.
“This is potentially devastating from a counterintelligence point of view,” said Joel Brenner, a former top counterintelligence official for the U.S. government, speaking about the latest revelation. “These forums contain decades of personal information about people with clearances . . . which makes them easier to recruit for foreign espionage on behalf of a foreign country.”
Last week, OPM announced that a database containing the personal information of about 4 million current and former federal employees was hacked. Privately, U.S. officials said the Chinese government was behind the breach. The administration has not publicly pointed a finger at Beijing.
The breach of that data system affected 4.1 million individuals — all 2.1 million current federal civilian employees and 2 million retired or former employees. Information on officials as senior as Cabinet secretaries may have been breached. The president’s and vice president’s data were not, officials said.
China has dismissed the hacking allegations, with a Foreign Ministry spokesman last week calling them “irresponsible and unscientific.”
The separate background-check database contains sensitive information — called SF-86 data — that includes applicants’ financial histories and investment records, children’s and relatives’ names, foreign trips taken and contacts with foreign nationals, past residences, and names of neighbors and close friends.
That database was also breached last year by the Chinese in a separate incident, and the new intrusion underscores how persistent and determined Beijing is in going after data valuable to counterespionage.
“The adversary is obviously very interested in that data,” said a U.S. official, who, like several others who were interviewed, spoke on the condition of anonymity because of the ongoing investigation.
The discovery of the second compromise was not exactly a surprise. “It’s like cancer,” a second U.S. official said. “Once you start operating on the cancer, you find it has spread to other areas of the body.”
Employees of intelligence agencies, such as the CIA, generally do not have the records of their clearance checks held by OPM, although some do, officials said.
“That’s the open question — whether it’s going to hit CIA folks,” the second official said. “It would be a huge deal. They could start unmasking identities.”
Matthew Olsen, a former National Security Agency general counsel and former head of the National Counterterrorism Center, said the breach is “truly significant.” The data can be used in many different ways to target people, “whether it’s blackmail, to recruit, to punish individuals in China who are connected to people in the United States.”
In the past year or two, the Chinese government has begun building massive databases of Americans’ personal information obtained through cyberespionage. Besides the series of OPM intrusions, a federal government contractor that conducted background investigations for OPM and the Department of Homeland Security was hacked last year by the Chinese. And Beijing has been linked to penetrations of several health insurance companies that hold personal data on tens of millions of Americans.
“Who can be surprised?” Brenner said. “They’re making a concerted effort to gather vast quantities of information about Americans. This is perfectly clear. That they have all this clearance information is a disaster.”
President Obama, as with previous high-profile breaches, has been briefed on the investigation. What steps, if any, the administration can or should take in response is a difficult discussion, current and former officials said.
“There are a whole array of things we need to do across the board, from raising our defenses to making sure that this stuff isn’t actually on the criminal underground to understanding the full scope” of the breach, the first official said. “We haven’t gotten there yet.”
What complicates this case is that unlike many other Chinese breaches of U.S. networks, the OPM hacks do not involve theft of commercial secrets. Last year, the United States indicted five Chinese military officials on charges of commercial cyberespionage. With traditional espionage, the options are fewer.
“You’re not going to start a shooting war over this,” a former intelligence official said. “We need to improve our defenses. We also want to go on the offense.”
Offensive actions might include directing a U.S. agency to locate the servers holding the stolen data and deleting or altering the data, the former official said.
The administration timed its announcement last week of the initial OPM breach to comply with its own policy, as reflected in proposed legislation, to notify individuals of a breach within 30 days of concluding that there is a “reasonable basis to believe” that personal information has been compromised, the first U.S. official said.
Although the breach was discovered in April, it was not until early May that investigators determined that employees’ personal data probably was taken. That led to the announcement last week even though, the official said, the investigation was not complete.
During a briefing for congressional staff last week, Ann Barron-DiCamillo, a senior DHS official, tried to explain the delay in alerting employees to the breach. “It takes time to do the forensics and to understand what’s happened, and even to understand what data, if any, has been exposed,” she said, according to notes taken by a congressional aide.
The breach, she said, took place in December. “It took awhile to pinpoint what actually went out the door because it happened six months ago,” she said.
Adam Goldman and Lisa Rein contributed to this report.