OPM Hack Probe Hindered Because Digital Trail Has Been Erased, US Official Says

Much of the trail was erased by the time authorities detected the breach.

ByABC News
June 15, 2015, 5:47 PM

— -- The U.S. government is having a tough time figuring out the exact scope of the cyber-assault on the Office of Personnel Management because much of the digital trail was erased by the time authorities detected and began investigating the breach, a top Homeland Security official said today.

Information that would point to how many people inside and outside of government have been affected by the intrusion is simply lost, the head of the Department of Homeland Security’s cyber response team, Ann Barron-DiCamillo, told a group of attorneys in Washington.

“One of the things that’s difficult for us is coming up with a hard-and-fast number, especially with records that are out the door,” Barron-DiCamillo said in response to a question from ABC News.

Many government computer systems hold onto “data logs” -- records that document access to files, specific user activity, system traffic and more -- for up to 60 days, according to Barron-DiCamillo.

But “these events happened months ago,” she said of the OPM breach. “So a lot of the forensic evidence we need to be able to come up conclusively with those numbers [of victims] is just not there. And so the investigators have a really hard time trying to piece all that information together.”

“It’s trying to identify something that has been written over many times,” she added.

Sources briefed on the matter have been telling ABC News for days the OPM intrusion impacted far more than the 4.2 million current and former federal employees publicly acknowledged -- especially as it became increasingly clear the breach may have exposed sensitive information of U.S. military, law enforcement, diplomatic and intelligence officials around the world, including “foreign contacts” and relatives living overseas.

In a statement Friday, OPM acknowledged that even many “prospective federal employees” may have had information about their background investigations stolen. In addition, the cyber-assault on OPM has also affected military contractors who used to work for the military, OPM said in a message distributed to military personnel.

In her remarks today, Barron-DiCamillo indicated the official number of 4.2 million potential victims is likely to rise.

“Information as it’s known and it’s confirmed is being [released], but more information is being found,” she said. “We’re continuing to investigate, and there will be a transition as we get to more conclusive facts. But that takes times.”

Meanwhile, Barron-DiCamillo, the director of DHS' U.S. Computer Emergency Readiness Team, seemed skeptical of reports saying number of victims could reach 14 million.

“I haven’t seen that number, I don’t know where that came from,” she said.

Another DHS official, Daniel Sutherland, said the public will “get some more concrete answers” at a House Oversight and Government Reform Committee hearing on Tuesday.

Information about the breach has been trickling out for the past week. On Friday, OPM acknowledged that information “related to the background investigations of current, former, and prospective Federal government employees, and those for whom a federal background investigation was conducted, may have been exfiltrated.”

Also on Friday, ABC News learned the hackers, believed to be from China, may have used information stolen from a private government contractor to ultimately break into federal systems, according to sources briefed on the matter.

Authorities suspect the hackers entered OPM’s computer systems months ago after first gaining access months earlier to the systems of KeyPoint Government Solutions -- one of the primary providers of background checks for the U.S. government, sources said.

KeyPoint representatives contacted by ABC News on Friday declined comment. But authorities believe hackers were able to extract electronic credentials or other information from within KeyPoint's systems and somehow use them to help unlock OPM's systems, according to sources.

Over more than a year, the hackers then rummaged -- undetected -- through separate "segments" of OPM's systems. One of the "segments" compromised held forms filled out by federal employees seeking security clearances.

The 127-page forms -- known as SF-86's and used for background investigations -- require applicants to provide personal information not only about themselves but also relatives, friends and “associates” spanning several years. The forms also ask applicants if they have "illegally used a drug or controlled substance," and they require information on financial history, mental health history and personal relationships.

That type of information, sources said, could be exploited to conduct "social-engineering" operations, potentially using the data to pressure or trick employees into further compromising their agencies.

Acting as the government's human resources division, OPM conducts about 90 percent of background investigations for the federal government. Information from SF-86 forms dating back three decades could have been exposed in the cyber-attack, sources said.

DHS discovered the KeyPoint intrusion only after undertaking a thorough assessment of all such contractors -- a move prompted by the hacking of another federal contractor, according to DHS.

In addition to the KeyPoint incident, investigators are looking into whether other previously-known hacks, including the March 2014 intrusion of OPM databases, may be connected to the most recent breach.

Efforts to reach an OPM spokesman have been unsuccessful.