The Cable

Clapper: ‘We Don’t Know Exactly What Was Taken in the OPM Breach’

Months after one of the biggest hacks in American history, Washington's top spy said the U.S. was still assessing the damage.

SYDNEY, NSW - AUGUST 11:  A fingerprint is scanned at Argus Soloutions August 11, 2005 in Sydney, Australia. The Australian Federal Government are considering including biometric data such as fingerprints, iris scans, or facial recognition on a national identity card in a bid to combat fraud, illegal immigration and terrorism. Details of individuals' biometrics would be stored on the card in an algorithmic code to prevent identity theft.   (Photo by Ian Waldie/Getty Images)
SYDNEY, NSW - AUGUST 11: A fingerprint is scanned at Argus Soloutions August 11, 2005 in Sydney, Australia. The Australian Federal Government are considering including biometric data such as fingerprints, iris scans, or facial recognition on a national identity card in a bid to combat fraud, illegal immigration and terrorism. Details of individuals' biometrics would be stored on the card in an algorithmic code to prevent identity theft. (Photo by Ian Waldie/Getty Images)

With Chinese President Xi Jinping set to arrive in Washington Thursday for a highly anticipated summit with President Barack Obama, America’s top spy said that the U.S. government still does not know what was stolen from the servers of the Office of Personnel Management in a breach U.S. officials privately attribute to Chinese agents.

“We don’t actually know what was actually exfiltrated,” Director of National Intelligence James Clapper said during an appearance at Georgetown University. “So what you’re hearing about is absolutely the worst case.”

On Wednesday, OPM revealed that as many as 5.6 million fingerprint records were among the data stolen in a breach disclosed in June. That’s up from their previous estimate of 1.1 million fingerprint records. The 5.6 million people whose fingerprint records were compromised are a subset of the total number of people whose records were stolen from OPM. The total number of people whose recordsincluding documents gathered during the course of background investigations for current, former, and prospective federal employees seeking security clearanceswere compromised remains at 21.5 million.

Federal computer sleuths are examining the scope of the breach, and it was during that investigation that they discovered fingerprint files that OPM said in a statement had not been “previously analyzed.”

On Thursday, Clapper referenced what appears to be the difficulty of that investigation as a contributing factor to the lack of certainty on how many people were affected by the breach. “We do not have enough granularity [or] fidelity on the forensics to determine exactly what was exfiltrated,” he said. Clapper said nothing Thursday about who was responsible for the attack.

The breach of OPM’s servers has been described by security experts as a possible intelligence bonanza, and Clapper said Thursday that the information poses a particular risk for employees of the intelligence community who may be working under cover. China has denied any involvement in the hack.

Clapper has said previously that the U.S. government has no indication that the stolen information has been used against American agents, and said Thursday that the intelligence community has been searching for “evidence of it turning up some place,” but it so far hasn’t.

In talks this week, Chinese and U.S. officials may announce the completion of an agreement to govern behavior in cyberspace, but such an agreement would all but certainly not have prevented the breach of OPM’s servers. That agreement may commit the United States and China to not attacking each other’s critical infrastructure systems during peacetime, but would likely say nothing about the kind of intelligence activity targeting systems such as OPM.

While lamenting that it was allowed to take place, Clapper has in the past saluted the OPM breach as an example of good intelligence work. “You have to kind of salute the Chinese for what they did,” Clapper said in June.

Elias Groll is a staff writer at Foreign Policy. Twitter: @EliasGroll

Trending Now Sponsored Links by Taboola

By Taboola

More from Foreign Policy

By Taboola