Federal government officials avoided immediately disclosing just how severe the government employee data hack was by defining it as two distinct breaches, according to people familiar with the matter, in an incident that underscores the tensions within the government over what officials have described as one of the worst data breaches of U.S. data.
The FBI strongly suspects the Chinese were behind the hack of Office of Personnel Management databases, and those hackers accessed not only personnel files but sensitive security clearance forms, which contain information that foreign intelligence agencies could use to target espionage operations, according to officials. Chinese officials maintain that they weren’t involved.
The administration disclosed the breach of personnel files on June 4th but not the security clearance theft. The security theft was disclosed a week later, but investigators probing the theft already knew about it.
OPM Director Katherine Archuleta on Wednesday said her agency is investigating whether up to 18 million unique Social Security numbers were stolen as part of the cyber attack, though she cautioned that the numbers were unverified and preliminary.
Her statement was made during testimony to the House Oversight Committee. Lawmakers have accused OPM of not providing enough information about a breach, or perhaps series of breaches, striking OPM in recent months and stealing troves of personnel records.
Ms. Archuleta said she believes an estimated 4.2 million personnel records of current and former government employees were stolen as part of one breach, but she said the estimates were much less precise on the hack of background check investigations that took place over a number of years.
Even before the OPM announced it had been hacked, officials at the office denied to The Wall Street Journal that security clearance forms were taken. A day after the public announcement, they denied it again, with an OPM spokesman saying there was “no evidence to suggest that information other than what is normally found in a personnel file has been exposed.’’
Yet by that time, the FBI already knew, and told OPM, that the security clearance forms had in fact been accessed, these officials said.
The same day as the OPM denial, Janet Napolitano, president of the University of California system, sent a letter to university officials saying anyone with a security clearance, including people who have never worked for the federal government, could be affected by the hack. Ms. Napolitano is a former head of the Department of Homeland Security.
The FBI, which is investigating the OPM hack, didn’t define it the same way. When responding to computer attacks on companies or government agencies, the FBI leaves it to the victim agency to say publicly and to its employees what was taken. In the case of the OPM hack, however, FBI officials, including the director, James Comey, also had to speak to lawmakers about the incident, and he didn’t discuss the incident in the “two breaches’’ terms that OPM used, according to people familiar with the matter.
An OPM spokeswoman said the agency had been “completely consistent’’ in its accounting of the data breach.
“As the investigation into the personnel records intrusion continued, it was discovered that OPM systems containing information related to the background investigations of current, former and prospective federal government employees, and those for whom a federal background investigation was conducted, may also have been compromised. We notified Congress of this intrusion as well.’’
Some officials defended the White House and OPM categorization of the breach, saying they were following the internal decision-making process, which culminated in a June 8 finding by the National Security Council that they had high confidence the security clearance forms had been accessed. Four days later, the administration announced security clearance forms had, in fact, been accessed by the hackers.
Melanie Dougherty Thomas, who advises companies dealing with computer breaches, said deciding what to say about a breach—and when—is critical. “The general public understands there are breaches all the time. If you wait too long, you give the perception you’re trying to hide the facts, and that to people is unforgivable. The issue of timing is the most delicate part of breach response.’’
Ms. Archuleta said OPM and other agencies are looking through the files to try to tabulate a more precise number of records that were stolen. She said the numbers could be less than 18 million, as some of the Social Security numbers could have been duplicates from other forms. But, she warned, the number of people whose personal information was stolen could also grow.
“It may well increase from these initial reports,” she said.