OPM Hackers Netted Usernames, Social Security Numbers Years Ago

When a foreign power as early as 2013 first hacked the Office of Personnel Management and retrieved IT manuals for its network, swept up in the heist were the usernames and the last four digits of the Social Security numbers of certain system users.

That detail was not disclosed to lawmakers until Thursday. 

Federal officials had always maintained the attackers -- who would go on to nab 21.5 million background check records last year -- never obtained personally identifiable information during the first breach.  

The varying descriptions of exactly what was compromised during the multiyear, alleged Chinese hacking operation came into focus during a Thursday House hearing.

Lawmakers wanted answers from OPM and other agencies for why congressional requests for executive branch information have gone unfulfilled. One request, spelled out in an Aug. 18, 2015, letter, asked for all the guides, directories and manuals the OPM attackers copied during the initial hack.

This summer, OPM Chief Information Officer Donna Seymour told lawmakers the guides describing OPM IT assets stolen in the earlier incident "would give you enough information that you could learn about the platform, the infrastructure of our system," but added that many of them were commercially available and outdated.

The earliest known malicious activity on OPM networks disclosed by government officials dates back to November 2013, federal officials testified this summer. The final, massive hack of personnel records began in the fall of 2014 and was detected in April 2015. 

On Thursday, Jason Levine, OPM's director of congressional, legislative and intergovernmental affairs, told the Oversight and Government Reform Committee: "You have all of the IT information unredacted. The only thing that remains redacted with respect to that production is a list of what we would consider unresponsive names. It is just a list of every username on the system with the last four of their socials."

Levine did not provide further details about the network users whose personal information was exposed in that preliminary hack.  The assailants, in the end, targeted individuals who had applied for security clearances to handle U.S. classified secrets. 

Committee Chairman Rep. Jason Chaffetz, R-Utah, voiced upset over the agency's decision not to disclose the personal information. 

Levine responded, "That information is certainly not publicly available. That's the username on the system, that's the last four Social Security numbers."

Chaffetz then interjected, "That's what the adversary's got. That's what we're concerned about." Seymour "tried to get us to go away by telling us it's all publicly available and it's outdated anyway," he added. "That was a lie. She misled Congress and she's going to pay that price."

Chaffetz has called for Seymour's ouster multiple times, most recently in a Dec. 10, 2015, letter to the acting head of OPM, Beth Cobert. 

Levine, throughout the oftentimes-tense hearing, committed to coordinating with the committee's staff on fulfilling any remaining information requests. 

"We're happy to come back work with you on that set of responses," he told Chaffetz. 

When the original hack became public, in July 2014, OPM was not required to notify employees if attackers saw their names. 

Names are not normally considered personally identifiable information, according to OPM's definition of "PII" at the time. 

The agency also said in a statement to reporters, neither OPM nor the Department of Homeland Security Department "have identified any loss of personally identifiable information. We continue to exercise the utmost vigilance in monitoring for potential threats and protecting our information and systems. A multiagency investigation into the attempted breach is ongoing."

(Image via Mark Van Scyoc/Shutterstock.com)