Military clearance OPM data breach 'absolute calamity'
Compounding those concerns is the limited information made public by the Office of Personnel Management.
Some military officials believe the recent hack targeting the civilian-run OPM seized information from tens of thousands of Standard Form 86s, which are required for all service members and civilians seeking a security clearance. That includes service members of all ranks, officers and enlisted, in a wide range of job specialties and assignments.
"They got everyone's SF-86," one Pentagon official familiar with the investigation told Military Times.
The SF-86, a 127-page document, asks government employees to disclose information about family members, friends and past employment as well as details on alcohol and drug use, mental illness, credit ratings, bankruptcies, arrest records and court actions.
Given the scale of the breach as publicly disclosed by the Obama administration and OPM, it's likely that the hackers obtained the SF-86 data of every military member who filled out the form on a computer, something that has been standard practice in Defense Department for well over a decade, said a retired senior intelligence community official who writes a blog under the pen name Victor Socotra.
The services began to make the digital SF-86 form mandatory in 2007, but service members used the digital form for years before that.
"They had access on everyone who has applied for a security clearance: families, residences and job assignments, bank records," Socotra said. "If that's not an absolute calamity, I don't know what is."
A senior administration official declined to confirm or deny the details of the breach, but told Military Times that "SF-86 applicant data is among the kind of data affected by the incident, but other kinds of information are also contained in the systems. As the investigation remains ongoing, we are still determining the full scope and extent of the information exposed."
Socotra, a former active-duty military intelligence official who worked directly for CIA Director George Tenet, and many Republican politicians contend the information being released is deliberately obscuring the magnitude of the incursion into OPM's records.
"This is a surreal new world and they are not being truthful," he said. "The way this works now is that they tell you a little bit of the truth, and then they obfuscate."
The lack of clarity coming from the White House and from OPM on the extent of the breach drew sharp criticism from lawmakers Tuesday. OPM Director Katherine Archuleta was summoned to Capitol Hill to respond to concerns about the sweeping breach of personnel information.
Rep. Ron DeSantis, R-Fla., pressed her about the reports that SF-86 documents were at the heart of the security breach.
"So you don't disagree with my characterization of the SF-86 in that the compromise, let's just say, theoretical, if you don't want to say what actually happened here, that that is a major, major breach that will have ramifications for our country?" DeSantis said.
"As I said, we will discuss this with you in a classified setting," Archuleta responded.
The Defense Department allows OPM to handle the vast majority of background checks required for military security clearance investigations.
Signs are mounting that OPM officials were aware their security clearance data was vulnerable. In November, the OPM inspector general issued a report concluding that the data was at risk, a "Chinese hacker's dream," according to a New York Times report.
Elizabeth Newman, an attorney and security clearance expert, said the hack was a clear OPM failure.
"It means that OPM was pretty incompetent," she said. "They knew that their systems were vulnerable and were warned but did nothing to secure them."
OPM initially said a recent cyberattack was limited to civilian employees. But the agency later acknowledged a separate incident that compromised "information related to the background investigations of current, former, and prospective federal government employees, and other individuals for whom a federal background investigation was conducted."
OPM spokesman Samuel Schumach said OPM "will notify those individuals whose information may have been compromised as soon as practicable."