An illustration picture shows a projection of binary code on a man holding a laptop computer, in an office in Warsaw June 24, 2013. REUTERS/Kacper Pempel/Files

By Arshad Mohammed and Joseph Menn

WASHINGTON (Reuters) - When a retired 51-year-old military man disclosed in a U.S. security clearance application that he had a 20-year affair with his former college roommate's wife, it was supposed to remain a secret between him and the government.

The disclosure last week that hackers had penetrated a database containing such intimate and possibly damaging facts about millions of government and private employees has shaken Washington.

The hacking of the White House Office of Personnel Management (OPM) could provide a treasure trove for foreign spies.

The military man's affair, divulged when he got a job with a defense contractor and applied to upgrade his clearance, is just one example of the extensive potential for disruption, embarrassment and even blackmail arising from the hacking.

The man had kept the affair secret from his wife for two decades before disclosing it on the government's innocuously named Standard Form 86 (SF 86), filled out by millions of Americans seeking security clearances.

His case is described in a judge's ruling, published on the Pentagon website, that he should keep his security clearance because he told the government about the affair. His name is not given in the administrative judge's decision.

The disclosure that OPM's data had been hacked sent shivers down the spines of current and former U.S. government officials as they realized their secrets about sex, drugs and money could be in the hands of a foreign government.

The data that may be compromised by the incident, which was first reported by the Associated Press, included the detailed personal information on the SF 86 "QUESTIONNAIRE FOR NATIONAL SECURITY POSITIONS," according to U.S. officials.

U.S. SUSPECTS LINK TO CHINA

As with another cyberattack on OPM disclosed earlier this month, U.S. officials suspect it was linked to China, though they have less confidence about the origins of the second attack than about the first.

China denies any involvement in hacking U.S. databases.

While the Central Intelligence Agency does its own clearance investigations, agencies such as the State Department, Defense Department and National Security Agency, which eavesdrops on the world, all use OPM's services to some degree.

It was not immediately clear how many Americans' information may have been compromised, nor precisely how many fill out form SF 86. As of Oct. 1, there were 4.51 million people cleared or eligible to receive national security information, according to a report by the Office of the Director of National Intelligence.

Intelligence veterans said the breach may prove disastrous because China could use it to find relatives of U.S. officials abroad as well as evidence of love affairs or drug use which could be used to blackmail or influence U.S. officials.

An even worse scenario would be the mass unmasking of covert operatives in the field, they said.

"The potential loss here is truly staggering and, by the way, these records are a legitimate foreign intelligence target," said retired Gen. Michael Hayden, a former CIA and NSA director. "This isn't shame on China. This is shame on us."

The SF 86 form, which is 127-pages long, is extraordinarily comprehensive and intrusive.

Among other things, applicants must list where they have lived; contacts with foreign citizens and travel abroad; the names and personal details of relatives; illegal drug use and mental health counseling except in limited circumstances.

A review of appeals of security denials published on the web shows the variety of information now in possession of the hackers, including financial troubles, infidelities, psychiatric diagnoses, substance abuse, health issues and arrests.

"It's kind of scary that somebody could know that much about us," said a former senior U.S. diplomat, pointing out the ability to use such data to impersonate an American official online, obtain passwords and plunder bank accounts.

SOME AGENCIES LESS VULNERABLE

A U.S. official familiar with security procedures, but who declined to be identified, said some agencies do not use OPM for clearances, meaning their employees' data was at first glance less likely to have been compromised.

Story continues