The CIA’s Secret 2009 Data Breach, Revealed For The First Time

The inspector general’s 2010 report, obtained by BuzzFeed News through a Freedom of Information lawsuit, details an incident that “could have caused irreparable damage.”

In a security breach never before made public, a CIA employee disclosed highly classified government source code to a contractor who was not authorized to receive it — an incident that the agency’s internal watchdog warned “could have caused irreparable damage.”

For America’s national security agencies, contractors pose a particular danger. They have been responsible for some of the most damaging national security leaks, from Edward Snowden’s release of National Security Agency files, to the ongoing Wikileaks dump of classified CIA source codes for the tools the CIA uses to hack into mobile phones, computers, Wi-Fi networks, online chat and calling services, and more. And last month, the intelligence contractor Reality Winner was charged with leaking a top-secret NSA document about Russia’s interference in the 2016 election.

This newly disclosed release of classified material appears to have been contained, but it shows how difficult it is to completely protect classified information. The breach took place in 2009, and details about it were revealed in a heavily redacted February 18, 2010, CIA inspector general’s report obtained by BuzzFeed News in response to a two-year-old Freedom of Information Act lawsuit.

The inspector general was tipped off on June 19, 2009, the report says. After launching an investigation, which involved interviews with four people and a review of CIA cables and contract information, the inspector general discovered that a second CIA employee was also involved, although the unredacted portions of the report do not explain how.

The source code was contained on disks marked “classified.” The first of the two CIA employees crossed out the classified markings, wrote “UNCLASSIFIED,” and handed over the disks to a contractor.

The name of that CIA employee was withheld on privacy grounds, but the report says that she was the “original classification authority” of the source code. That means she had the power to classify and declassify certain material. Still, the inspector general said the contractor who received it was not “cleared” to do so.

Although the CIA employee was “authorized to be in possession of the source code from [redacted] she was not authorized to use the source code,” the inspector general’s report said.

What the source code is and what the CIA used it for remains a mystery because that information is still classified.

Since March, the CIA has been reeling from the ongoing Wikileaks release of sensitive source code, a dump that US intelligence officials have characterized as the largest leak of CIA documents in history.

While the two cases are obviously different — one was never made public and the other is available to the whole world — they have something in common: “No matter how detailed and rigorous the security procedures might be, the human factor can be counted on to mess them up,” said Steven Aftergood, director of the Project on Government Secrecy at the Federation of American Scientists. “It is safe to assume that somebody, somewhere is going to defeat security protocols through negligence, stupidity, or malice.”

Security officials worked to “contain and eradicate” the damage from the “unsanctioned disclosure,” the report says, and CIA staffers said the disks had been returned. But the inspector general’s report noted that wasn’t the case: the disks “remain missing.”

The inspector general recommended that another agency review the case and decide whether to discipline the employee. Whether any action was taken — and, if so, by what agency — is unknown. The CIA declined to comment for this story.

Skip to footer