WASHINGTON — The massive hack last year of the Office of Personnel Management’s system containing security clearance information affected 21.5 million people, including current and former employees, contractors and their families and friends, officials said Thursday.
That is in addition to a separate hack – also last year – of OPM’s personnel database, which affected 4.2 million current and former employees. That number was announced previously.
Together, the breaches arguably comprise the most consequential cyber intrusion in U.S. government history. Administration officials have privately said they were traced to the Chinese government and appear to be for purposes of traditional espionage.
The 21.5 million figure includes 19.7 million individuals who applied for a background investigation, and 1.8 million non-applicants, predominantly spouses or people who live with the applicants. Some records also include findings from interviews conducted by background investigators, and about 1.1 million include fingerprints, officials said.
Individuals who underwent a background investigation through OPM in 2000 or afterward are “highly likely” affected, officials said. Background checks before 2000 are less likely to have been affected, they said.
ACCESS TO PERSONAL DETAILS
The lapse enabled hackers to gain access not only to personnel files, but also personal details about millions of individuals with government security clearances – information a foreign intelligence service could potentially use to recruit spies.
Because the exposed records included information on individuals who served as references on security clearance applications, U.S. official said that stolen data includes details on certain employees’ relatives and friends.
Thursday’s announcement only seemed to strengthen Republican calls on Capitol Hill for OPM Director Katherine Archuleta and her chief information officer, Donna Seymour, to resign.
“Since at least 2007, OPM leadership has been on notice about the vulnerabilities to its network and cybersecurity policies and practices,” Rep. Jason Chaffetz, R-Utah, said in a written statement. “Their negligence has now put the personal and sensitive information of 21.5 million Americans into the hands of our adversaries. Such incompetence is inexcusable.”
The intrusion of OPM’s system containing security clearance data took place in June or early July of 2014, officials said. The hack of a separate OPM database containing personnel records occurred in December.
In both cases, officials said, the hackers worked for the Chinese government, although the Obama administration has not formally accused Beijing. “It is an enormous breach, and a huge amount of data that is personal and sensitive . . . was available to adversaries,” FBI Director James Comey said at a Senate Intelligence Committee hearing Wednesday.
“We’re talking about millions and millions of people affected by this,” he said. “I’m sure the adversary has my SF86 now,” referring to the Standard Form 86, which all applicants for security clearances must fill out.
He noted it lists “every place I’ve lived since I was 18, every foreign trip I’ve taken, all of my family and their addresses. . . . I’ve got siblings. I’ve got five kids. All of that is in there.”
Said Comey: “It is a huge deal.”
SOME SPYING INTELLIGENCE VALUE
Not every spy’s data is in the system. The CIA conducts its own security clearance investigations and keeps that data to itself. Even so, some U.S. officials have said that a foreign spy service might be able to identify U.S. intelligence operatives by comparing stolen OPM records with rosters of U.S. personnel at embassies overseas.
Names that appear on U.S. embassy lists but are missing from the OPM files might enable a foreign intelligence service with sophisticated computer capabilities to identify CIA operatives serving overseas under diplomatic cover.
OPM has been under fire for the breaches.
OPM officials have defended the agency, saying that it was only because of a strategic plan put in place by Archuleta shortly after she became director in November 2014 that the breaches were discovered.
“There are certainly some people I would like to see given the boot for not paying attention to cybersecurity, but Katherine Archuleta is not one of them,” said one administration official, requesting anonymity to discuss personnel issues. Maybe they didn’t move as fast as they should have but they were at least moving in the right direction and were prioritizing it in an agency that didn’t think of itself as having a security mission.”