OPM Hack Far Deeper Than Publicly Acknowledged, Went Undetected For More Than A Year, Sources Say

The hack was far deeper and potentially more problematic than acknowledged.

ByABC News
June 11, 2015, 4:59 PM

— -- The massive hack into federal systems announced last week was far deeper and potentially more problematic than publicly acknowledged, with hackers believed to be from China moving through government databases undetected for more than a year, sources briefed on the matter told ABC News.

"If [only] they knew the full extent of it," one U.S. official said about those affected by the intrusion into the Office of Personnel Management's information systems.

It all started with an initial intrusion into OPM's systems more than a year ago, and after gaining that initial access the hackers were able to work their way through four different "segments" of OPM's systems, according to sources.

Much of that data has been stored on OPM systems housed by the Department of the Interior in a Denver-area data center, sources said. And one of the four "segments" compromised held forms filled out by federal employees seeking security clearances.

As ABC News previously reported, the 127-page forms — known as SF-86's and used for background investigations — ask applicants for personal information not only about themselves but also relatives, friends, and potentially even college roommates.

OPM insists the information compromised by the intrusion into its systems does "not [include] the names of family members."

"Family members of employees were not affected by this breach," OPM says on its website.

However, U.S. officials speaking on the condition of anonymity say unequivocally such information was put at serious risk by the OPM hack. Of utmost concern are U.S. employees stationed overseas, including in countries such as China, whose government would covet personal information on relatives and contacts of American officials living in the communist country, according to officials.

"If the SF-86's associated with this hack were, in their entirety, part of the stolen information, then that would mean the potential release of a staggering amount of information, affecting an exponential amount of people," one U.S. official told ABC News on Sunday.

Acting as the government's human resources division, OPM conducts about 90 percent of background investigations for the federal government. Information from SF-86 forms dating back three decades could have been exposed in the cyber-attack, which the U.S. government strongly suspects was carried out by hackers in China, sources said.

Applicants seeking U.S. security clearances are required to provide the full names, dates of birth, places of birth and social security numbers of spouses or partners. Relatives' full names, dates of birth, current addresses and in some cases employment information are also required. And applicants are asked to the full names, dates of birth and addresses of "foreign contacts" — defined as a foreign national, including relatives, "with whom you, or your spouse, or cohabitant are bound by affection, influence, common interests, and/or obligation."

It's still unclear exactly what was compromised by the OPM hack, particularly because OPM officials and other authorities still don't have a good handle on how much information was actually stored by OPM in the first place, one U.S. official said. Nearly 50 government agencies send data to OPM for storage in some form, according to the official.

The intrusion was only noticed after OPM began to upgrade its equipment and systems. As soon as anomalies within the systems were noticed, the Department of Homeland Security and FBI were notified.

Over the next two weeks, OPM will be sending notifications to an estimated 4 million current and former government employees whose "Personally Identifiable Information" may have been compromised by the hack.

Those notifications "will state exactly what information may have been compromised," OPM says on its website.

And "since the investigation is ongoing, additional PII exposures may come to light," an OPM official acknowledged Sunday. "In that case, OPM will conduct additional notifications as necessary."

In a statement last week, an FBI spokesman said, "We take all potential threats to public and private sector systems seriously, and will continue to investigate and hold accountable those who pose a threat in cyberspace."

An OPM spokesman did not immediately return a call seeking comment.