It was already being described as the worst hack of the U.S. government in history. And it just got much worse. A senior U.S. official has confirmed that foreign hackers compromised the intimate personal details of an untold number of government workers.
Likely included in the hackers’ haul: information about workers’ sexual partners, drug and alcohol abuse, debts, gambling compulsions, marital troubles, and any criminal activity.
Those details, which are now presumed to be in the hands of Chinese spies, are found in the so-called “adjudication information” that U.S. investigators compile on government employees and contractors who are applying for security clearances. The exposure suggests that the massive computer breach at the Office of Personnel Management is more significant and potentially damaging to national security than officials have previously said.
Three former U.S. intelligence officials told that the adjudication information would effectively provide dossiers on current and former government employees, as well as contractors. It gives foreign intelligence agencies a roadmap for finding people with access to the government’s most highly classified secrets.
Obama administration officials had previously acknowledged the breach of information that applicants voluntarily disclose on a routine questionnaire, called Standard Form 86, but the theft of the more detailed and wide-ranging adjudication information appears to have gone overlooked.
“Whoever compromised the adjudication information is going to have clear knowledge, beyond what’s in the SF86, about who the best targets for espionage are in the United States,” Michael Adams, a computer security expert who served more than two decades in the U.S. Special Operations Command, told. “This is the most successful cyber attack in the history of the United States,” owing to the amount and quality of the information that was stolen, Adams said.
U.S. intelligence officers spend years trying to recruit foreign spies to gather the kinds of details and insights that are contained in adjudication information, one former senior U.S. official said. This official, who requested anonymity, added that adjudication information would give foreign intelligence services “enormous leverage” over U.S. personnel whom they might forcibly interrogate for information or try to recruit.
Adjudication information would include the results of polygraph examinations, both former U.S. officials said. The exam can be extraordinarily intimate, bordering on humiliating. One former official said a polygrapher once asked if he’d ever practiced bestiality. Another said questions are designed to root out potential leakers, noting that he was asked about what contacts he’d had with journalists, including in a social setting.
The OPM’s chief information officer, Donna Seymour, acknowledged when she testified at a House hearing on June 16 that “clearance adjudication information” had been compromised. But the remark went virtually unnoticed, as lawmakers mostly focused their attention on the agency’s embattled director and the OPM’s weak computer security.The adjudication process had a broad scope, taking into account the SF86 questionnaire, reports from background investigations, interviews with the applicant's family members and associates, his or her employment history, and for people seeking high-level clearances, the results of polygraph investigations.
Seymour said such records “span an employee’s career” and could stretch back as far as 30 years. Officials have said that as many as 18 million people may have been affected by the breach. Asked specifically what information the hackers had obtained, Seymour told lawmakers that she preferred to answer later in a “classified session.” Seymour didn’t specify how many people’s information was stolen. But the OPM oversees background investigations, which comprise a key part of the adjudication process, for more than 90 percent of security clearance applicants, according to the Congressional Research Service. An OPM spokesman didn’t respond to a request for comment in time for publication.
A former senior U.S. intelligence official, who asked to remain anonymous, said the OPM breach would cause more damage to national security operations and personnel than the leaks by Edward Snowden about classified surveillance by the National Security Agency. “This is worse than Snowden, because at least programs that were running before the leaks could be replaced or rebuilt,” the former official said. “But OPM, that’s the gift that keeps on giving. You can’t rebuild people.”
Adjudicators are in a powerful position because in deciding whether to recommend granting a security clearance, they have access to the entire scope of an applicant’s file and are told to make a subjective analysis. “The adjudication process is the careful weighing of a number of variables known as the whole-person concept,” according to official guidelines. “Available, reliable information about the person, past and present, favorable and unfavorable, should be considered in reaching a determination.”
By design, adjudication is an invasive process, meant to unearth risk factors including drug and alcohol abuse, extramarital affairs, a history of violence, and other events that speak to a person’s “trustworthiness” and their susceptibility to blackmail or being recruited to spy for a foreign government.
For instance, “compulsive gambling is a concern, as it may lead to financial crimes including espionage,” the guidelines say. Adjudicators are told to note “a pattern of compulsive, self-destructive, or high risk sexual behavior,” “relapse after diagnosis of alcohol abuse,” and “emotionally unstable, irresponsible, dysfunctional, violent, paranoid, or bizarre behavior,” among other warning signs in 13 categories.
Some of the embarrassing personal details found in some adjudications have been made public. That’s what happens after an applicant who was denied a security clearance launched an appeal. But those public reports are anonymous. The names are held back—but are contained in the OPM’s adjudication records. Those were compromised in the hack. In other words, it would be simple for spies to take these once-anonymous reports and attach a name to them.
How invasive are these exams? One applicant admitted to shooting his 19-year-old son in the leg during a physical altercation, sparked by an argument over whether his son’s girlfriend could live with him in the applicant’s grandmother’s house. Another applicant who’d held a clearance for 25 years while serving in the military had an affair with his former college roommate’s wife “on and off for more than twenty years,” his adjudicator noted. The applicant told the wife about the affair in 2014, and they’re “working through their problems.”
A third applicant was reprimanded by his supervisor for accessing pornography on his work computer. He had “not told his wife about these issues because he feels embarrassed by his conduct,” his file notes. Debts and drug and alcohol abuse are frequently considered in the adjudication process. One applicant was found to owe nearly $1.8 million from, among other things, four mortgages on three condominiums. He was denied a clearance. But another applicant’s clearance was granted on the condition that he stop drinking, after going through four alcohol addition treatment programs and relapsing every time.
Armed with such intimate details of a person’s worst moments, foreign spies would have unprecedented advantage against their U.S. adversaries. And the news is especially bad for people who hold the highest levels of clearance, which require more rigorous background checks, noted Adams, the computer security expert. “The higher up you go in your sensitivity levels, the more data that’s in your adjudication file,” he said.
110 Reykjavik, Iceland