WASHINGTON (TIP): The Chinese breach of the Office of Personnel Management network was wider than first acknowledged, and officials said Friday, June 12, that a database holding sensitive security clearance information on millions of federal employees and contractors also was compromised.
The announcement of the hack of the security-clearance database comes a week after OPM disclosed that another personnel system had been compromised. The discovery of the first breach led investigators to find the second — all part of one campaign by the Chinese, U.S. officials say, evidently to obtain information valuable to counterespionage.
In an announcement, OPM said that investigators concluded this week with “a high degree of confidence” that the agency’s systems containing information related to the background investigations of “current, former and prospective” federal employees, and others for whom a background check was conducted, were breached.
OPM is assessing how many people were affected, spokesman Samuel Schumach said. “Once we have conclusive information about the breach, we will announce a notification plan for individuals whose information is determined to have been compromised,” he said.
China has dismissed the hacking allegations, with a Foreign Ministry spokesman last week calling them “irresponsible and unscientific.”
What complicates this case is that unlike many other Chinese breaches of U.S. networks, the OPM hacks do not involve theft of commercial secrets. Last year, the United States indicted five Chinese military officials on charges of commercial cyberespionage. With traditional espionage, the options are fewer.
“You’re not going to start a shooting war over this,” a former intelligence official said. “We need to improve our defenses. We also want to go on the offense.”
Offensive actions might include directing a U.S. agency to locate the servers holding the stolen data and deleting or altering the data, the former official said.
The administration timed its announcement last week of the initial OPM breach to comply with its own policy, as reflected in proposed legislation, to notify individuals of a breach within 30 days of concluding that there is a “reasonable basis to believe” that personal information has been compromised, the first U.S. official said.
Although the breach was discovered in April, it was not until early May that investigators determined that employees’ personal data probably was taken. That led to the announcement last week even though, the official said, the investigation was not complete.
During a briefing for congressional staff last week, Ann Barron-DiCamillo, a senior DHS official, tried to explain the delay in alerting employees to the breach. “It takes time to do the forensics and to understand what’s happened, and even to understand what data, if any, has been exposed,” she said, according to notes taken by a congressional aide.
The breach, she said, took place in December. “It took awhile to pinpoint what actually went out the door because it happened six months ago,” she said.