Breach of Employee Data Wider Than Initial Report, U.S. Says

A sign stands outside of the Theodore Roosevelt Building, headquarters of the U.S. Office of Personnel Management (OPM), in Washington, D.C., U.S., on Friday, June 5, 2015. The disclosure by U.S. officials that Chinese hackers stole records of as many as 4 million government workers is now being linked to the thefts of personal information from health-care companies. The hackers, thought to have links to the Chinese government, got into the OPM computer system late last year, according to one U.S. official.

Photographer: Andrew Harrer/Bloomberg

Hackers may have accessed a second set of U.S. government personnel records, including employee background investigations, in one of the largest thefts of data on federal workers, the White House said.

The second intrusion was carried out by the same hackers who stole records on more than 4 million federal workers maintained by the Office of Personnel Management, the government’s human resources agency, according to a U.S. official who asked for anonymity because of a continuing probe.

Investigators have “a high degree of confidence that OPM systems containing information related to the background investigations of current, former, and prospective federal government employees, and those for whom a federal background investigation was conducted, may have been exfiltrated,” Samuel Schumach, a spokesman for the personnel agency, said in a statement on Friday.

Bloomberg News previously reported that records on background investigations were accessed by hackers. The White House had declined to comment until releasing a statement on Friday.

Security Clearances

The announcement of a second suspected breach follows revelations that the hack could involve as many as 14 million current and former government workers. The higher total, more than triple the 4 million originally cited by the personnel office, comes from a lawmaker briefed on the investigation who asked not to be identified discussing classified information.

Government background investigations can include sensitive information about individuals’ arrest records and personal lives. People seeking security clearances must provide information such as bankruptcy filings and substance-abuse history.

The possibility of a second breach was shared by U.S. investigators with relevant federal agencies on June 8, according to the White House. The intrusion into the personnel agency data was first revealed publicly on June 4.

White House Press Secretary Josh Earnest said on Friday that the Federal Bureau of Investigation continues to work to determine the scope of the intrusion and the identify of the hackers. He declined to confirm reports that the Chinese government initiated the attacks.

More than 5 million Americans hold security clearances, as many as 1.5 million of them at the top secret level, and about a third of the total are private contractors. The White House said the second potential breach included “prospective federal employees, and those for whom a federal background investigation was conducted,” a description that may include federal contractors and people considered for federal jobs who weren’t hired.

Intelligence Community

Additionally, some members of the intelligence community, including clandestine service officers, first obtained security clearances in the military. While the Central Intelligence Agency and other intelligence services maintain their records separately, their agents’ military background checks may have been swept up in the breaches.

“Protecting the computer networks of the federal government is a daunting challenge,” Earnest told reporters Friday. “It does require the federal government to be nimble, something that’s difficult when you’re talking about an organization that’s this large.”

The twin intrusions prompted an effort to shore up defenses across the federal government.

U.S. Chief Information Officer Tony Scott has called on all federal agencies to take steps to protect their computer networks, including using more “multi-factor authentication” and patching known vulnerabilities. Agencies have 30 days to report their actions and the challenges they face, the White House said in a statement.

Scott established a “Cybersecurity Sprint Team” on Friday to lead a 30-day cybersecurity review of government agencies. The team includes officials from the Department of Homeland Security, the National Security Council, the Department of Defense and other agencies.

Before it's here, it's on the Bloomberg Terminal.