Officials Masked Severity Of Hack
June 24, 2015
Devlin Barrett and Damian Paletta
WASHINGTON—The Obama administration for more than a week avoided disclosing the severity of an intrusion into federal computers by defining it as two breaches but divulging just one, said people familiar with the matter.
That approach has frustrated lawmakers as they probe the administration’s handling of one of the biggest-ever thefts of government records.
Agents with the Federal Bureau of Investigation suspect China was behind the hack of Office of Personnel Management databases discovered in April, and that those hackers accessed not only personnel files but security-clearance forms, current and former U.S. officials said. Such forms contain information that foreign intelligence agencies could use to target espionage operations. Chinese officials have said they weren’t involved.
The administration on June 4 disclosed the breach of personnel files—but not the security-clearance theft. That theft was disclosed a week later, even though investigators knew about it much earlier, people familiar with the situation said.
OPM Director Katherine Archuleta on Wednesday said her agency is investigating whether up to 18 million unique Social Security numbers were stolen as part of the attack on security-clearance records, though she cautioned that the number was unverified and preliminary.
Her statement came during testimony before the House Oversight and Government Reform Committee. Many lawmakers have accused OPM of not providing enough information about what was stolen.
Rep. Jason Chaffetz (R., Utah), who heads the oversight panel, reiterated on Wednesday his call for Ms. Archuleta to resign, something she said she had no plans to do.
An OPM spokeswoman said the agency had been “completely consistent’’ in its accounting of the data breach.
“As the investigation into the personnel records intrusion continued, it was discovered that OPM systems containing information related to the background investigations of current, former and prospective federal government employees, and those for whom a federal background investigation was conducted, may also have been compromised,” the spokeswoman said. “We notified Congress of this intrusion as well.’’
As an investigation points to burgeoning effects of the OPM hack, with millions of personnel records, background checks and Social Security numbers possibly stolen, questions over the administration’s handling of the intrusion are growing.
Melanie Dougherty Thomas, who advises companies dealing with computer breaches, said deciding how much to say about a breach—and when—is critical.
“The general public understands there are breaches all the time. If you wait too long, you give the perception you’re trying to hide the facts, and that to people is unforgivable,” she said.
Before the OPM formally announced June 4 that it had been hacked, officials at the agency denied to The Wall Street Journal that security-clearance forms were taken, as people familiar with the attack had described.
A day after the public announcement, an OPM spokesman said there was “no evidence to suggest that information other than what is normally found in a personnel file has been exposed.’’ By that time, the FBI already knew—and told OPM—that security-clearance forms had been tapped, officials said.
On June 5, the same day as the OPM denial, Janet Napolitano, president of the University of California system, sent a letter to university officials saying anyone with a security clearance—including people who have never worked for the government—could be affected by the hack. Ms. Napolitano, a former head of the Department of Homeland Security, didn’t respond to requests for comment.
Officials familiar with the behind-the-scene discussions said officials at the White House and OPM agreed to handle the problem as at least two separate breaches—one of the personnel files, and one of the security clearance forms.
That had major implications for the initial description of damage. Rather than saying the hack potentially involved the private details of an estimated 18 million people—and possibly millions more if relatives and close friends listed on the security clearance forms are counted—the agency said about four million people were potentially affected.
The FBI, which is investigating the OPM hack, didn’t define it the same way. When responding to computer attacks on companies or government agencies, the FBI leaves it to the victimized agency to tell the public and its employees what was taken. But in the case of the OPM, FBI officials, including the director, James Comey, also had to speak to lawmakers about the incident, and Mr. Comey didn’t discuss the incident as two breaches—said people familiar with the matter.
Some administration officials defended the White House and OPM description of the breach, saying officials were following an internal decision-making process, which culminated in a June 8 finding by the National Security Council that officials had high confidence the security- clearance forms had been accessed.
Four days later, the administration announced these forms had, in fact, been tapped by the hackers.
Ms. Archuleta said in her testimony Wednesday she believes 4.2 million personnel records of current and former government employees were stolen, but said estimates were less precise about the hack of background- check investigations, which took place over a number of years.
“It is my understanding that the 18 million [number] refers to a preliminary, unverified and approximate number of unique Social Security numbers in the background investigations data,” she said. “It is a number I am not comfortable with.”
The dispute over the extent of the breach flared the day before in a private briefing with lawmakers, said people familiar with the discussion. When Ms. Archuleta said she didn’t know where the figure of 18 million Social Security numbers came from, a senior FBI official interjected and said it was based on her agency’s own data, these people said.
An FBI spokesman declined to comment on the closed-door briefing, as did an OPM spokeswoman.
Ms. Archuleta told Congress OPM and other agencies are looking through the files to try to tabulate a more precise number of records that were stolen. She said the numbers could be less than 18 million, as some of the Social Security numbers could have been duplicates from other forms. But, she warned, the number of people whose personal information was stolen could also grow.
“It may well increase from these initial reports,” she said.