An early internal assessment by the Office of Personnel Management warned that the cyber-assault on its computer systems may have compromised personal information of tens of millions of people, with the hack of one particular system alone potentially affecting 18 million Americans, ABC News has learned.
Those were “very raw numbers,” and investigators are still conducting “many forensic steps” to determine whether so many people actually had their personal information stolen, a source close to the investigation said today.
Nevertheless, the early assessment shows how federal officials have feared a vastly bigger universe of victims than what has been publicly acknowledged so far.
In the nearly three weeks since OPM announced a hack of personnel records, U.S. officials have only publicly released the number 4.2 million, referring to current and former federal employees known to be impacted by that breach.
But hackers had access to far more than the personnel records, rummaging undetected through various OPM systems for more than a year -- all part of a suspected cyber-campaign out of China to collect information on federal workers inside the United States and others around the world, sources told ABC News.
“Coming up with a hard-and-fast number” for those impacted by the compromise of other OPM systems has been “really hard,” largely because much of the digital trail was erased by the time authorities detected the intrusions, a top Homeland Security official said last week.
On June 4, the same day OPM announced the hack of personnel records, an OPM official privately distributed a memo to colleagues and counterparts, charting OPM systems and detailing data sets potentially breached by the onslaught of cyber-attacks, according to sources familiar with the memo.
The memo indicated that because a certain OPM system was likely breached, Social Security numbers or other personal information tied to 18 million people could now be in the hands of foreign hackers, sources said.
But other systems at risk were also mentioned in the memo, including one database covering background checks, known as the Electronic Questionnaires for Investigations Processing system -- or “e-QIP,” sources said.
“e-QIP allows the user to electronically enter, update and transmit their personal investigative data over a secure internet connection,” according to OPM’s website.
Sources said the e-QIP system was likely breached, allowing hackers to steal forms -- known as “SF-86” forms -- submitted by federal employees and others seeking security clearances.
In early June, some lawmakers pressing for answers on the OPM intrusions were quietly told of the potential outcome outlined in the June 4 memo, sources said.
“We’re still trying to ascertain exactly which individuals were impacted and which records” were taken, the source close to the investigation said.
If SF-86 forms were stolen in their entirety, an “exponential amount of people” could be affected, including U.S. military, law enforcement, diplomatic and intelligence officials around the world, a source previously told ABC News.
The forms require applicants to provide personal information not only about themselves but also relatives, friends and “associates” spanning several years.
The forms ask applicants about past drug use, financial history, mental health history and personal relationships.
That type of information could be exploited to pressure or trick employees into further compromising their agencies, sources said.
ABC News previously reported the OPM hackers may have used information stolen last year from a private government contractor, KeyPoint Government Solutions, to ultimately break into federal systems.
KeyPoint has repeatedly declined requests for comment from ABC News.
During a House hearing last week, a senior cyber-official within the Department of Homeland Security, Andy Ozment, warned other hacks into government and private systems “are already occurring. ... We just don't know it yet.”
Each month, OPM “thwarts” an average of 10 million “intrusion attempts,” OPM Director Katherine Archuleta said in written testimony for the same hearing.
Archuleta said that when she took over as director 18 months ago, she “immediately became aware of security vulnerabilities” and undertook “an aggressive effort” to bolster OPM’s firewalls and other cyber-security measures.
“But for the fact that OPM implemented new, more stringent security tools in its environment, we would have never known that malicious activity had previously existed on the network,” she said.
House and Senate committees this week are set to hold three more public hearings on the whole matter, plus at least one briefing behind closed doors.