More federal personnel records have been hacked than previously reported and U.S. officials are weighing responses ranging from new counterintelligence initiatives to destroying the data in the intruders’ servers, according to people briefed on the investigation.
Already considered one of the largest thefts of U.S. government personnel data in history, investigators now estimate that it may include data on as many as 14 million people, more than triple the 4 million current and former government employees reported by the Office of Personnel Management last week, according to one lawmaker who asked not to be identified when discussing the investigation.
Four others, including lawmakers and people briefed on the investigation, said the number of people whose data was stolen was significantly higher than 4 million. They said the government doesn’t have a full count yet because multiple investigations are under way, including into whether other agencies were hit, according to officials involved in the inquiries.
The hackers rifled computers unseen for months, vacuuming up huge quantities of data. Security firms say forensic evidence links the thefts to similar attacks on Indianapolis-based health-insurance providers Anthem Inc. and Premera Blue Cross that were reported earlier this year and are suspected by U.S. officials to be the work of the Chinese government—a charge the Chinese embassy has denied.
The hackers “are now in possession of all personnel data for every federal employee, every federal retiree, and up to one million former federal employees,” including pay history, health insurance and military records, J. David Cox, president of the American Federation of Government Employees, wrote in a letter sent Thursday to the Office of Personnel Management.
Investigators suspect the hackers were pursuing not only the personal information on federal employees, but also passwords and encryption keys that could be used for espionage and trade-secret theft, according to the officials, who spoke on condition of anonymity because the probe is continuing.
“The magnitude of what happened is probably one of the most serious breaches we’ve had to date,” said Senator Richard Burr, a North Carolina Republican and chairman of the Senate intelligence committee.
The Obama administration’s response involves probing by spy agencies, a law enforcement probe led by the Federal Bureau of Investigation, and a technical investigation into the scope of the breach by the Department of Homeland Security.
Counterintelligence specialists at the FBI and elsewhere are analyzing the risks of the information ending up in the hands of a rival intelligence agency. One option is to put in place enhanced rules on how former and current security clearance holders report being approached by foreigners, according to a person familiar with the discussion.
U.S. intelligence agencies, including the National Security Agency, are also working to trace the exact source of the hack and infiltrate the servers and other computers used to execute the intrusion.
In past attacks, U.S. intelligence agencies have been able to destroy or alter stolen data to make it less useful, and that may be an option in this case if the data can be located, according to the person.
The attack points to the need for the Obama administration to develop a clear policy “about whether we’re going to play defense or whether we’re going to play offense,” said Senator John McCain, an Arizona Republican and chairman of the Senate Armed Services Committee.
“You can either try to just build defenses against it or when you know that it’s out there you can preemptively strike it,” McCain said.
“If they can identify a place that is going to launch an attack on the United States—say shut down our electricity grids—then it seems to me that we should preempt that by disabling their ability to do so,” he said.
McCain and Burr said they believe the scope of the breach is significantly bigger than 4 million.
The personnel office declined to say whether the number of people affected exceeded the 4 million the agency described last week. “For security reasons, we will not discuss specifics of the information that might have been compromised,” Samuel Schumach, a spokesman for the agency, said in an e-mail. “The investigation is ongoing and OPM is committed to conducting notifications as necessary.”
The larger estimate accounts for, among other things, hackers stealing information for millions of current and former employees of government contractors as well as for contractors going back to the 1980s, according to two additional people briefed on the probe.
One impediment to determining the scope of the attack is that investigators haven’t been able to trace all the threads—especially those leading to private companies—because many businesses are concerned that disclosing a network penetration could expose them to lawsuits, the officials said.
Hundreds of agents across various parts of government are now involved in the probe, sifting through reams of forensics data in order to trace the tentacles of the Chinese spying operation which began last year and included OPM, several government contractors and some of the country’s largest health-care companies.
The government’s response is being coordinated by the Deputies Committee, the highest government entity dealing with issues of national security below the cabinet, which is charged with developing a plan for the hack’s fallout.
The biggest concern is that the hackers accessed databases that included background checks for national security clearances, including detailed forms filled out by individuals providing personal histories, foreign travel, arrests, drug and alcohol use and other details that could be used foreign intelligence operatives for blackmail or recruitment.
According to one person familiar with the probe, one worry is vulnerabilities exposed with information about people who failed to get a clearance because of drug use, financial problems or other issues. Those people may still hold important positions in government or have moved to influential jobs in the private sector, and a foreign intelligence agency may now have secrets they don’t want exposed.