The White House waited roughly four weeks before telling the public that hackers had stolen the personal information of millions of people associated with the federal government, two people directly involved with the investigation tell The Associated Press.
In providing a more detailed chronology of the break-in at the U.S. Office of Personnel Management, the two people say the White House decided June 2 to disclose it that week.
OPM and the Homeland Security Department publicly confirmed the data thefts on June 4, shortly after the AP broke the story. They spoke on condition of anonymity because parts of the case and techniques being used are classified.
Press guidance from the administration sent by email to industry executives on June 2 explained vaguely that an issue with implications for the U.S. intelligence community was about to be disclosed and predicted that it would generate some minor news coverage in Washington and trade periodicals. The AP was read a copy of the guidance.
A White House official, who was not authorized to speak publicly about the break-in, said the delay was needed to identify what information was exposed and how many people were affected, ensure that a public announcement wouldn't interfere with the investigation and establish a process to notify affected employees.
Roughly six weeks later, the U.S. still doesn't know exactly what information was exposed or how many people were affected, and it has not provided detailed warnings to employees whose information was compromised.
"We are working with the agencies right now to determine how many of their employees were affected," OPM's director, Katherine Archuleta, said on Capitol Hill. "We do not have that number at this time."
The two people involved in the investigation and a congressional aide, who also requested anonymity after a classified briefing, have told the AP previously that the personal information stolen affects as many as 14 million current and former federal employees and others.
The White House official noted that under a proposal that Congress hasn't voted to approve, private companies would also have 30 days to notify customers after hackers steal their information. Under the White House plan, companies who suffer routine hacking attacks can request additional extensions of 30 days each before notifying victims, and the FBI or Secret Service can waive requiring notifications if it would damage national security, reveal sensitive sources or methods or impede an investigation.