Feds Looking Into Whether Hack of US Government Affected Private Citizens Too

At least 4 million people could be affected, officials say.

ByABC News
June 7, 2015, 8:18 PM

— -- Federal investigators are trying to determine whether the massive hack into federal systems announced this past week impacted far more than the estimated 4 million current and former government employees already acknowledged by the Obama administration, sources familiar with the matter told ABC News.

In particular, investigators are considering the possibility that private citizens who never worked for the U.S. government may have also had personal information compromised, sources said.

At the heart of concern are forms filled out by federal employees seeking security clearances. The forms -- known as SF-86's and used for background investigations -- were exposed after hackers infiltrated the Office of Personnel Management's information systems in December, according to the sources.

Acting as the government's human resources division, OPM conducts about 90 percent of background investigations for the federal government. And federal employees who submit the SF-86 forms provide personal information not only about themselves but also relatives, friends, and potentially even college roommates.

"If the SF-86's associated with this hack were, in their entirety, part of the stolen information, then that would mean the potential release of a staggering amount of information, affecting an exponential amount of people," one U.S. official told ABC News.

Information from SF-86 forms dating back three decades could have been exposed in the cyber-attack, which the U.S. government strongly suspects was carried out by hackers in China, sources said.

Though it's still unclear exactly how much of that information was actually compromised, the government forms could offer hackers a treasure trove of new targets outside government.

Applicants seeking U.S. security clearances are required to provide the full names, dates of birth, places of birth and social security numbers of spouses or partners. Relatives' full names, dates of birth, current addresses and in some cases employment information are also required. And applicants are asked to submit -- among other things -- the full names, email addresses and telephone numbers of "three people who know you well."

"They should be friends, peers, colleagues, college roommates, associates, etc.," the form says.

Over the next two weeks, OPM will be sending notifications to an estimated 4 million people whose "Personally Identifiable Information" may have been compromised by the hack.

Those notifications "will state exactly what information may have been compromised," a senior administration official said.

And "since the investigation is on-going, additional PII exposures may come to light," an OPM official acknowledged. "In that case, OPM will conduct additional notifications as necessary."

Though the intrusion first took place sometime around December, OPM detected it four months later and then notified the FBI and Department of Homeland Security.

The OPM official said steps taken over the past year to bolster the agency's technology systems and further protect them "are why the agency was able to detect the recent intrusion into its networks."

In a statement Thursday, an FBI spokesman said, "We take all potential threats to public and private sector systems seriously, and will continue to investigate and hold accountable those who pose a threat in cyberspace."

Multiple government officials said the hack could impact workers in several federal agencies, insisting that what's already been acknowledged publicly is just "the tip of the iceberg."

"This is the cyber breach of the year," one U.S. official said. "This is everything."

FBI and DHS declined to comment for this article.

ABC News' Justin Fishel and Erin Dooley contributed to this report.