The recent hack of data held by the U.S. Office of Personnel Management has raised concerns that the identities of undercover intelligence officers working abroad could be exposed.
Initially, government officials characterized the security breach primarily as a way that hackers could steal employees' identities and commit financial fraud -- similar to the breaches that have affected Target, Home Depot, and other retailers.
But cyber-security and counterintelligence experts say the bigger threat is that the hackers can undermine undercover American operations.
“Until proven otherwise, this is in fact the worst national security disaster this country’s ever experienced...period," said Mike Adams, who spent the past 15 years in cyber-security, following his retirement from Army Special Forces.
"Intelligence officers spend years trying to get this much data on one guy," Adams said. "People spend careers trying to get this much data on one guy.”
Lost in the hack were high level security clearances for the past 30 years. The U.S. government reports hackers have that data on more than 21 million Americans, including 1.1 million fingerprint files.
The Department of Homeland Security said it believes the hackers targeted government contractors and used a so-called “social engineering” attack to get an unsuspecting employee to give up login credentials.
The Office of the Director of National Intelligence declined comment on the possible risk to American intelligence agents.
'My heart kind of dropped'
When news about the hack first broke, civilian Navy employee Lauren Bickings was more worried about identity theft than anything else. She's in the process of trying to buy a house.
But Bickings, who has a top secret security clearance, said word soon spread around her office that the consequences could be even greater, as the government suspects the hackers were working for China's intelligence service.
“My heart kind of dropped. Knowing that this wasn’t like Jane Smith from next door doing this," she said. "This was a big deal.”
Indeed, cyber-security and counterintelligence experts said that if social security numbers, for instance, end up in the hands of a hostile foreign intelligence service, that agency could compare those to the social security numbers on visas they've provided to Americans. That could blow the cover of American spies.
Perhaps most damaging, according to experts, the hackers stole “adjudication data," which includes notes and findings of the investigators who conduct background checks on people applying for top secret clearances. That information goes beyond social security numbers and other identification data. It also includes deeply personal information from applicants' backgrounds, such as whether they have substance abuse problems, debt issues, or have cheated on a spouse.
“If you’re a diplomat like I was overseas, all of a sudden you’ve got to start worrying about who knows what’s going on with my background," said Alex Tabb, who spent years as a Foreign Service Officer and now does cyber-security consulting for the financial industry. "It’s potentially very damaging.”
Years to determine the damage
The government hasn’t said yet how serious it believes the breach to be. The Office of Personnel Management says it won’t know more about the damage until the FBI and the Department of Homeland Security complete their investigations. But the agency has increased its estimate of the number of federal employees affected from 4 million to more than 25 million.
OPM director Katherine Archuleta has resigned. President Obama has named the agency's deputy director, Beth Cobert, as the acting head of OPM. Cobert has promised to restore confidence in the embattled agency.
OPM has issued guidelines for employees whose information may have been compromised. But Tabb said the breach is so significant that it won't be easy for the government - or the affected employees - to get past it.
"The scope is still so unknown that it’s going to take years for us figure out exactly what the damage is and then the type of information that was lost,” said Tabb.
CORRECTION: An earlier version of the audio story said that hackers had broken into OPM's web-based system used to submit background investigation applications. In fact, OPM says it voluntarily took the system offline for security enhancements. The agency says it identified security vulnerabilities in the system, but found no evidence hackers have exploited those vulnerabilities.