Hackers have breached a database containing a wealth of sensitive information from federal employees’ security background checks, the Obama administration said Friday — news that experts say could deal a devastating blow to U.S. intelligence gathering.

The revelations came just a week after officials disclosed a previous massive cyber intrusion into the same federal personnel office, compromising records of more than 4 million current and past employees in a breach that administration officials have privately blamed on Chinese hackers.


The stolen records in the hack disclosed Friday included data on intelligence and military personnel, The Associated Press reported. A senior administration official would not confirm that information but confirmed that the breach occurred at the Office of Personnel Management.

The hackers are believed to have obtained data from a security intake form known as a Standard Form-86, which includes details such as financial trouble, past convictions, drug use and close relationships with citizens of other countries. The form is used for background checks of current, former and prospective federal employees.

“This is crown jewels material … a gold mine for a foreign intelligence service,” said Joel Brenner, a former NSA senior counsel.

The SF-86 breach could have dire consequences for U.S. intelligence gathering, former officials said, noting that it would make it extremely difficult for anyone inside the database to ever work in a covert capacity. For example, that would include someone employed by the State or Agriculture departments who gathers intelligence for the Defense Intelligence Agency.

“This is not the end of American human intelligence, but it’s a significant blow,” Brenner said.

As of October, 4.5 million Americans were cleared for access to classified information, including approximately a million contractors.

And because the SF-86s are stored in an indexed database, that database could also be combed for secrets, said Robert Caruso, a former Navy special security officer who has worked in security at the State and Defense departments. For example, Chinese agents could search the database for instances when agents with NSA covers were in the same place at the same time and make reasonable deductions about what they were doing there.

Brenner and Caruso both said it’s likely that clearance forms from the Defense Department and its related intelligence agencies, including NSA and the Defense Intelligence Agency, could be accessed through OPM. It’s much less likely that CIA employee clearance information was accessed that way because the CIA has traditionally insisted on managing its own personnel information.

“CIA refuses to put its people’s information in with OPM, and of course they’re right,” Brenner said. One lesson to draw from the breach, he said, is that “any serious clandestine agency has to be in charge of its own personnel information. Full stop.”

Investigators became aware of this second breach of the OPM’s systems as they pursued a previously disclosed breach into an unencrypted system holding personnel files of as many as 4.2 million current and past federal employees. That information included Social Security numbers, as well as names, addresses, pay grades, personnel actions and pension, insurance and health plan details.

The administration official said the relevant federal agencies received notification of the latest hack on Monday. “We expect OPM will conduct additional notifications as necessary,” the official said in a statement.

Administration officials have said privately that signs point to the first hack having originated in China, and security experts have said it appeared to be part of a Chinese effort to build dossiers on federal employees who might be approached later for espionage purposes.

Friday’s new revelations appeared to back up that theory.

The SF-86 “gives you any kind of information that might be a threat to [the employees’] security clearance,” said Jeff Neal, a former Department of Homeland Security official and a senior vice president at ICF International. “It’s really a personal document.”

It’s likely that the hackers are building a database on federal employees to “make it easier for them to try to pick off people that they want,” he added, saying most Americans who end up spying for foreign governments are motivated by money. With the security clearance data, plus the data from their earlier OPM hack, the attackers can compile lists of attractive and vulnerable intelligence targets.

Previously revealed data breaches at U.S. health insurance companies, which have also been attributed to Chinese state actors, only compound the accuracy of such a database, Neal said. “They can basically build a large record on federal employees.”

One federal cybersecurity official said the stolen data go beyond just the information on the employees themselves.

“They got more than just your security form,” the official said, speaking on condition of background. “They got the supporting documentation.”

Attackers also have information not just on federal employees with security clearances, but also any contact information that those cleared personnel entered into the form. “How deep is the personally identifying information on the other people, I don’t know,” the official said. “It might just be their contact information, and I think that’s what [investigators are] trying to find out.”

The disclosures add concern about employees being blackmailed or co-opted by foreign governments, former officials said.

Security clearance investigations, by their very nature, expose people’s darkest secrets — the things a foreign government might use to blackmail or compromise them such as drug and alcohol abuse, legal and financial troubles and romantic entanglements.

The best solution at this point, former officials said, may be what the government has already begun to do — drastically ramping up the government’s network defenses, both to prevent additional breaches from abroad and to more readily spot mischief by co-opted employees.

There may also be calls to further expand “insider threat” detection efforts, Caruso suggested.

Since the Chelsea Manning and Edward Snowden leaks that disclosed a wealth of classified data, the Defense Department and intelligence agencies have put increased emphasis on programs to continuously monitor some employees’ computer activity to spot anomalies — such as a China analyst accessing documents on Iran after hours. On a smaller scale, they’ve also ramped up “continuous evaluation programs,” which monitor public databases to turn up information suggesting added stress or abnormal behavior, such as financial troubles or an unreported drunken driving arrest.

Also on Friday, the White House announced a “30-day Cybersecurity Sprint” in which the administration is instructing agencies to take actions such as testing their networks’ vulnerabilities, patching weaknesses, restricting the number of privileged user accounts and “dramatically” ramping up the use of so-called multifactor authentication, which goes beyond requiring people to use passwords. In addition, a “Cybersecurity Sprint Team” will engage in a 30-day review of federal cyber efforts.

Tal Kopan contributed to this report.