Feds Eye Link to Private Contractor in Massive Government Hack

PHOTO: A hacker types on a laptop in this stock image.Benjamin Howell/Getty Images
A hacker types on a laptop in this stock image.

The hackers who recently launched a massive cyber-attack on the U.S. government, exposing sensitive information of millions of federal workers and millions of others, may have used information stolen from a private government contractor to break into federal systems, according to sources briefed on the matter.

Authorities suspect the hackers, likely from China, entered the U.S. Office of Personnel Management’s computer systems after first gaining access last year to the systems of KeyPoint Government Solutions -- one of the primary providers of background checks for the U.S. government, sources said.

KeyPoint representatives contacted by ABC News declined comment for this story.

Authorities, meanwhile, believe hackers were able to extract electronic credentials or other information from within KeyPoint's systems and somehow use them to help unlock OPM's systems, according to sources.

The hackers then rummaged through separate "segments" of OPM's systems, potentially compromising personal information of not only the 4 million current and former federal employees already acknowledged publicly but also millions more, including relatives, friends and maybe even college roommates, the sources said.

In an unrelated statement today, OPM said authorities have "a high degree of confidence that OPM systems containing information related to the background investigations of current, former, and prospective Federal government employees, and those for whom a federal background investigation was conducted, may have been exfiltrated," as previously reported by ABC News.

The fact that Colorado-based KeyPoint suffered a cyber intrusion was well-publicized late last year. But the scope of the hack may not have been completely understood at the time by even the nation’s top cyber officials, sources indicated. Last year's incident has yet to be officially tied to the recent OPM hack.

The KeyPoint incident, mostly affecting employees of the Department of Homeland Security, was first detected in September, and two months ago DHS began notifying federal employees whose personal information "may have been compromised."

The notification was clear about what information was exposed: "[Your] first and last name, social security number, job title, investigation case number, education history, criminal history, and employment history; spouse or cohabitant’s name, date of birth, and social security number; the names, addresses, and dates of birth of relatives of the investigation subject; and names and addresses of friends of the investigation subject."

DHS discovered the KeyPoint intrusion only after undertaking a thorough assessment of all such contractors -- a move prompted by the hacking of another federal contractor, according to DHS.

Asked why the government waited seven months to notify potential victims, one U.S. official said it took time for authorities to conclude personal information may have been stolen in the incident.

Nevertheless, KeyPoint put in place "additional safeguards" after the intrusion was detected, and those steps should "prevent future incidents of this nature," according to the government notification.

In addition to the KeyPoint incident, investigators are also looking into whether another previously-known hack into OPM databases in March 2014 may be connected to the most recent breach.

That attack targeted an OPM system maintaining security clearance information. An OPM official, however, recently told lawmakers it didn’t expose any personal information.

Nevertheless, officials strongly suspect the cyber-attack came from China -- just like officials believe the most recent intrusion also came from China.

The most recent OPM hack is believed to have been far deeper and potentially more problematic than publicly acknowledged, sources said, with the hackers believed to have been moving in and out of government databases undetected for more than a year.

Much of the compromised data has been stored on OPM systems housed by the Department of the Interior in a Denver-area data center, sources said. And one of the "segments" compromised held forms filled out by federal employees seeking security clearances.

The 127-page forms -- known as SF-86's and used for background investigations -- require applicants to provide personal information not only about themselves but also relatives, friends and “associates” spanning several years. The forms also ask applicants if they have "illegally used a drug or controlled substance," and they require information on financial history and personal relationships.

That type of information, sources said, could be exploited to conduct "social-engineering" operations, potentially using the data to pressure or trick employees into further compromising their agencies.

Also of concern are U.S. employees stationed overseas, including in countries such as China, whose government would covet personal information on relatives and contacts of American officials living in the communist country, according to officials.

"If the SF-86's associated with this hack were, in their entirety, part of the stolen information, then that would mean the potential release of a staggering amount of information, affecting an exponential amount of people," one U.S. official told ABC News on Sunday.

Acting as the government's human resources division, OPM conducts about 90 percent of background investigations for the federal government. Information from SF-86 forms dating back three decades could have been exposed in the cyber-attack, sources said.

It's still unclear exactly what was compromised by the OPM hack, particularly because OPM officials and other authorities still don't have a good handle on how much information was actually stored by OPM in the first place, one U.S. official said.

Nearly 50 government agencies send data to OPM for storage in some form, according to the official.

The intrusion was only noticed after OPM began to upgrade its equipment and systems. As soon as anomalies within the systems were noticed, the Department of Homeland Security and FBI were notified.

Over two weeks, OPM will be sending notifications to the estimated 4 million current and former government employees whose "Personally Identifiable Information" may have been compromised by the hack.

And "since the investigation is ongoing, additional PII exposures may come to light," an OPM official acknowledged Sunday. "In that case, OPM will conduct additional notifications as necessary."

In a statement last week, an FBI spokesman said, "We take all potential threats to public and private sector systems seriously, and will continue to investigate and hold accountable those who pose a threat in cyberspace."

Efforts to reach an OPM spokesman today were unsuccessful.