U.S. Officials Say Nearly 14 Million Affected In OPM Breach
AUDIE CORNISH, HOST:
The question is not going away. How could the private information of millions of people be stolen from the federal government? Today, those investigating the hack on the Office of Personnel Management say they now understand the scope of this breach, and they tell NPR more than 14 million people may have been affected. We're going to hear about some of the lines of inquiry the FBI and other agencies are following. That includes whether a 2014 report on OPM's computer network provided a roadmap for would-be hackers. NPR's Dina Temple-Raston has been following all of this and joins us now. Welcome to the studio, Dina.
DINA TEMPLE-RASTON, BYLINE: Thank you.
CORNISH: So help us understand this, why it's thought a government report may have essentially shown hackers a way in.
TEMPLE-RASTON: Well, investigators are now following a number of lines of inquiry, including, as you said, whether an inspector general's report tipped off hackers to some of the agency's vulnerabilities. The 66-page report was released publicly in November 2014, and the hack is thought to have come about a month later. Among the things the inspector general found that could have helped hackers was that nearly a quarter of the agency's systems did not have valid authorization procedures. That means things like having passwords or dormant accounts closed or using smart cards or access codes. The reason that's important is because one of the departments that didn't have the correct procedures was the Federal Investigative Services. That's the group responsible for background investigations of federal employees. So that data's very sensitive, and as we know now, this is one of the databases that was hacked.
CORNISH: In the meantime, what else are investigators looking at?
TEMPLE-RASTON: Well, they're also focused on the hack that took place during the government shutdown in October 2013 and whether that played some role in this latest episode. That hack was against the Federal Election Commission, and it had furloughed all of its then-339 employees during the 2013 government shutdown. So that means the FEC's IT, the people who would have been monitoring the networks, weren't on the job.
And it turns out that the Chinese hacked into the FEC system just days into the shutdown. The focus at that time was how hackers were able to - might - maybe get information on subpoenas and donors in investigations that the Federal Election Commission might be conducting. But now officials are looking at whether or not that breach may have helped hackers find vulnerabilities in other government networks.
CORNISH: So does that mean that finding a vulnerability at the Federal Election Commission's computer system might have also led to a hacker finding a vulnerability at OPM?
TEMPLE-RASTON: Exactly. So hypothetically, let's say you're hacking into the FEC network, and you find that it's easy to get into the system through some glitch in the code that runs, for example, the network printers. Then you take that glitch, and you see if that works in a hack against some other federal agency, like OPM. So hacking into one agency can potentially give you a window into how to get into another.
CORNISH: Why isn't the Obama administration saying on the record that China is responsible for this? Is it because they aren't sure?
TEMPLE-RASTON: No. In background conversations, they seem pretty sure. In fact, they're zeroing in on who, specifically, they think is responsible. They're looking at a hacking group that goes after strategic interests for the Chinese government, and it's called - and I'm not making this up - Deep Panda.
CORNISH: Why not say this publicly?
TEMPLE-RASTON: Well, part of the reason is because the U.S. does this kind of hacking and espionage as well, and it's understood that this sort of thing goes on. One official told me that so far, the calculation has been that the trouble that they would cause in naming China specifically seems to outweigh the benefits of calling them out for stealing the information. What's more, as a general matter, officials see a bright line between spying for commercial advantage and spying for national security. This isn't about stealing credit cards or commercial secrets. There's an expectation that they're going to be trying to get this information just as the U.S. is trying to get this kind of information about them. So this falls into a different category.
CORNISH: That's NPR's Dina Temple-Raston. Dina, thank you.
TEMPLE-RASTON: You're welcome.
NPR transcripts are created on a rush deadline by an NPR contractor. This text may not be in its final form and may be updated or revised in the future. Accuracy and availability may vary. The authoritative record of NPR’s programming is the audio record.