Hack Defined as Two Distinct Breaches
June 24, 2015 | By Devlin Barrett |
OPM official says 18 million Social Security numbers could have been stolen in hack; FBI suspects China involved
By: Devlin Barrett
Wall Street Journal
WASHINGTON—Obama administration officials defined the hack of Office of Personnel Management employee documents as two distinct breaches, a decision that allowed officials to initially deny millions of the government’s most sensitive employee security records had been stolen, according to officials familiar with the matter.
Agents with the Federal Bureau of Investigation suspect China was behind the hack of OPM databases, and those hackers accessed not only personnel files but security clearance forms, which contain information that foreign intelligence agencies could use to target espionage operations, according to officials. Chinese officials have said they weren’t involved.
The administration disclosed the breach of personnel files on June 4 but not the security clearance theft, contrary to what investigators probing the theft already knew.
Director Katherine Archuleta on Wednesday said her agency is investigating whether up to 18 million unique Social Security numbers were stolen as part of the cyberattack, though she cautioned that the numbers were unverified and preliminary.
Her statement was made during testimony to the House Oversight Committee. Lawmakers have accused OPM of not providing enough information about a breach—or perhaps series of breaches—that have hit OPM in recent months and stolen troves of personnel records.
Ms. Archuleta said she believes 4.2 million personnel records of current and former government employees were stolen as part of one breach, but she said the estimates were much less precise on the hack of background check investigations that took place over a number of years.
“It is my understanding that the 18 million [number] refers to a preliminary, unverified and approximate number of unique Social Security numbers in the background investigations data,” she said. “It is a number I am not comfortable with.”
Her acknowledgment to Congress suggests that the cyber thieves could have accessed sensitive of information of people who are related to government officials but have never actually worked for the federal government. That is because many government officials must list immediate family members—and their personal information—as part of background investigations.
The incident underscores the tensions within the government over what officials have described as one of the worst—if not the worst—breaches of government data. And it shows how government agencies and companies struggle in deciding what to tell employees and customers about stolen data.
Even before OPM announced it had been hacked, officials at the office denied to The Wall Street Journal that security clearance forms were taken. A day after the public announcement, they denied it again, with an OPM spokesman saying there was “no evidence to suggest that information other than what is normally found in a personnel file has been exposed.’’
Yet by that time, the FBI already knew—and told OPM—security clearance forms had in fact been accessed, these officials said.
The same day as the OPM denial, Janet Napolitano, president of the University of California system, sent a letter to university officials saying anyone with a security clearance—including people who have never worked for the federal government—could be affected by the hack. Ms. Napolitano is a former head of the Department of Homeland Security.
Officials familiar with the behind the scene discussions say OPM’s denials were based on a peculiar interpretation of what had happened at the agency. Officials at the White House and OPM agreed to handle the OPM problem as at least two separate breaches—one of the personnel files, and one of the security clearance forms, these officials said.
That had major implications for the initial description of damage. Rather than saying the hack implicated the private details of an estimated 18 million people—and potentially millions more if you count the relatives and close friends listed on the security clearance forms—the agency said about four million people were potentially affected.
The FBI, which is investigating the OPM hack, didn’t define it the same way. When responding to computer attacks on companies or government agencies, the FBI leaves it to the victim agency to say publicly and to its employees what was taken. In the case of the OPM hack, however, FBI officials, including the director, James Comey, also had to speak to lawmakers about the incident, and he didn’t discuss the incident in the “two breaches’’ terms that OPM used, according to people familiar with the matter.
An OPM spokeswoman said the agency had been “completely consistent’’ in its accounting of the data breach.
“As the investigation into the personnel records intrusion continued, it was discovered that OPM systems containing information related to the background investigations of current, former, and prospective Federal government employees, and those for whom a federal background investigation was conducted, may also have been compromised. We notified Congress of this intrusion as well.’’
Some officials defended the White House and OPM categorization of the breach, saying they were following the internal decision-making process, which culminated in a June 8 finding by the National Security Council that they had high confidence the security clearance forms had been accessed. Four days later, the administration announced security clearance forms had, in fact, been accessed by the hackers.
Melanie Dougherty Thomas, who advises companies dealing with computer breaches, said deciding what to say about a breach—and when—is critical. “The general public understands there are breaches all the time. If you wait too long, you give the perception you’re trying to hide the facts, and that to people is unforgivable. The issue of timing is the most delicate part of breach response.’’
Ms. Archuleta said OPM and other agencies are looking through the files to try to tabulate a more precise number of records that were stolen. She said the numbers could be less than 18 million, as some of the Social Security numbers could have been duplicates from other forms. But, she warned, the number of people whose personal information was stolen could also grow.
“It may well increase from these initial reports,” she said.
Write to Devlin Barrett at firstname.lastname@example.org