SAN FRANCISCO — The breach of information on millions of U.S. government employees could be much wider than first acknowledged, with government officials saying Friday that a database containing highly sensitive, personal information on employees may also have been compromised.
The breach, which officials have attributed to Chinese hackers, may have also compromised a database of forms known as Standard Form 85 and 86 according to anonymous government officials who spoke to AP. Those forms require government employees to fill out information about any prior mental illnesses, drug and alcohol use, and any financial difficulties. The Social Security numbers of the applicants, and any of their cohabitants, are also required.
BuzzFeed News originally reported that those forms may have been compromised last week. Friday's reports confirm that not only were those forms likely accessed, they were also likely unencrypted.
"This is potentially devastating from a counterintelligence point of view," Joel Brenner, a former top counterintelligence official for the U.S. government, told the Washington Post. "These forums contain decades of personal information about people with clearances... which makes them easier to recruit for foreign espionage on behalf of a foreign country."
In an interview with ABC, Brenner later added that the breach "tells the Chinese the identities of almost everybody who has got a United States security clearance... That makes it very hard for any of those people to function as an intelligence officer. The database also tells the Chinese an enormous amount of information about almost everyone with a security clearance. That's a gold mine. It helps you approach and recruit spies."
The Office of Personnel Management (OPM), which was the target of the hack, has not yet notified individuals whose security was breached. BuzzFeed News spoke to several federal employees who described a "collective panic" among their colleagues. The OPM did not answer a request for comment Friday on whether the 85 and 86 forms were hacked, or whether those forms were encrypted.
On Thursday, the President of the American Federation of Government Employees (AFGE) claimed that all federal employees and retirees, as well as one million former federal employees, had their personal information stolen in the OPM breach. The AP later ran a story quoting unnamed sources estimating that 14 million current and former U.S. government employees had their data exposed.
The OPM is responsible for handling government security clearance as well as personal records for all federal employees. The records kept by the OPM include the answers to this 127-page questionnaire, which covers a range of personal and professional history.
The breach is the third known foreign hack of a government computer system in the past year, and the second to be attributed to Chinese hackers. Earlier this month, the FBI announced it was opening an investigation into a hack of the IRS, in which tax transcripts for over 100,000 taxpayers were compromised. Investigators have said that as much as $39 million may have been stolen from the federal government by hackers using the tax records to file false refund requests.
While that attack appeared to be criminally motivated, cybersecurity experts said it was too early to tell whether the hack into the OPM was done by cybercriminals or as part of a wider espionage campaign by China.
A Chinese government official branded accusations the country is responsible for one of the largest U.S. federal data breaches ever as "irresponsible", AP reported.
During a regular news briefing in Beijing last Friday, Chinese Foreign Ministry spokesman Hong Lei said that the U.S. should be "less suspicious and stop making any unverified allegations, but show more trust and participate more in cooperation."
He added: "We know that hacker attacks are conducted anonymously, across nations, and that it is hard to track the source. It's irresponsible and unscientific to make conjectural, trumped-up allegations without deep investigation."
Last summer, the OPM announced that hackers were attempting to access the files of thousands of employees who had applied for top-secret security clearance. The more recent attack, however, appeared to cover a much larger scope.
"Beginning June 8 and continuing through June 19, OPM will be sending notifications to approximately 4 million individuals whose Personally Identifiable Information was potentially compromised in this incident," wrote the OPM in a statement posted online. The office added that it would be providing an 18-month credit monitoring and identity theft protection service to federal employees affected by the breach. The office said that it was working with the FBI to determine the impact of the breach.
"The FBI is working with our interagency partners to investigate this matter. We take all potential threats to public and private sector systems seriously, and will continue to investigate and hold accountable those who pose a threat in cyberspace," the FBI said in a statement to BuzzFeed News.
The Chinese hackers managed to breach the system of the OPM in December, according to government officials quoted in the Wall Street Journal.
The breach was first discovered in April 2015, and confirmed the next month using a new network monitoring plan put in place by the Department of Homeland Security and its interagency partners, according to a statement by DHS spokesperson S.Y. Lee.
"Based upon these response activities, DHS concluded at the beginning of May 2015 that OPM data had been compromised," Lee said. "The FBI is also conducting an investigation to identify how and why this occurred. As we constantly do, DHS is continuing to monitor federal networks for any suspicious activity and is working aggressively with the affected agencies to conduct investigative analysis to assess the extent of this alleged intrusion."
An unnamed U.S. official who spoke to the AP said the data breach could potentially impact every federal agency. An unnamed government official who spoke to the Journal said the attack could be "one of the largest thefts of government data ever seen."
An unnamed government official spoke to the Wall Street Journal. An earlier version of this post cited the source as an FBI official.
Sheera Frenkel is a cybersecurity correspondent for BuzzFeed News based in San Francisco. She has reported from Israel, Egypt, Jordan and across the Middle East. Her secure PGP fingerprint is 4A53 A35C 06BE 5339 E9B6 D54E 73A6 0F6A E252 A50F
Got a confidential tip? Submit it here.