By Arshad Mohammed and Joseph Menn
WASHINGTON (Reuters) - When a retired 51-year-old military man disclosed in a U.S. security clearance application that he had a 20-year affair with his former college roommate's wife, it was supposed to remain a secret between him and the government.
The disclosure last week that hackers had penetrated a database containing such intimate and possibly damaging facts about millions of government and private employees has shaken Washington.
The hacking of the White House Office of Personnel Management (OPM) could provide a treasure trove for foreign spies.
The military man's affair, divulged when he got a job with a defense contractor and applied to upgrade his clearance, is just one example of the extensive potential for disruption, embarrassment and even blackmail arising from the hacking.
The man had kept the affair secret from his wife for two decades before disclosing it on the government's innocuously named Standard Form 86 (SF 86), filled out by millions of Americans seeking security clearances.
His case is described in a judge's ruling, published on the Pentagon website, that he should keep his security clearance because he told the government about the affair. His name is not given in the administrative judge's decision.
The disclosure that OPM's data had been hacked sent shivers down the spines of current and former U.S. government officials as they realized their secrets about sex, drugs and money could be in the hands of a foreign government.
The data that may be compromised by the incident, which was first reported by the Associated Press, included the detailed personal information on the SF 86 "QUESTIONNAIRE FOR NATIONAL SECURITY POSITIONS," according to U.S. officials.
U.S. SUSPECTS LINK TO CHINA
As with another cyberattack on OPM disclosed earlier this month, U.S. officials suspect it was linked to China, though they have less confidence about the origins of the second attack than about the first.
China denies any involvement in hacking U.S. databases.
While the Central Intelligence Agency does its own clearance investigations, agencies such as the State Department, Defense Department and National Security Agency, which eavesdrops on the world, all use OPM's services to some degree.
It was not immediately clear how many Americans' information may have been compromised, nor precisely how many fill out form SF 86. As of Oct. 1, there were 4.51 million people cleared or eligible to receive national security information, according to a report by the Office of the Director of National Intelligence.
Intelligence veterans said the breach may prove disastrous because China could use it to find relatives of U.S. officials abroad as well as evidence of love affairs or drug use which could be used to blackmail or influence U.S. officials.
An even worse scenario would be the mass unmasking of covert operatives in the field, they said.
"The potential loss here is truly staggering and, by the way, these records are a legitimate foreign intelligence target," said retired Gen. Michael Hayden, a former CIA and NSA director. "This isn't shame on China. This is shame on us."
The SF 86 form, which is 127-pages long, is extraordinarily comprehensive and intrusive.
Among other things, applicants must list where they have lived; contacts with foreign citizens and travel abroad; the names and personal details of relatives; illegal drug use and mental health counseling except in limited circumstances.
A review of appeals of security denials published on the web shows the variety of information now in possession of the hackers, including financial troubles, infidelities, psychiatric diagnoses, substance abuse, health issues and arrests.
"It's kind of scary that somebody could know that much about us," said a former senior U.S. diplomat, pointing out the ability to use such data to impersonate an American official online, obtain passwords and plunder bank accounts.
SOME AGENCIES LESS VULNERABLE
A U.S. official familiar with security procedures, but who declined to be identified, said some agencies do not use OPM for clearances, meaning their employees' data was at first glance less likely to have been compromised.
However, the former senior diplomat said someone with access to a complete set of SF 86 forms and to the names of officials at U.S. embassies, which are usually public, could compare the two and make educated guesses about who might be a spy.
"Negative information is an indicator just as much as a positive information," said the former diplomat.
The case of the 51-year-old former military man who told the government, but not his wife, about his 20-year affair came to light when he filed an appeal because his effort to upgrade his security clearance ran into trouble.
According to a May 13 decision by an administrative judge who heard his case, the man revealed the affair in the "Additional Comments" section of SF 86 in January 2012, ended the affair in 2013, and told his wife about it in 2014.
"DOD (Department of Defense) is aware of the affair because Applicant disclosed it on his SF 86; the affair is over; and the key people in Applicant’s life are aware of it," the judge wrote, according to a Defense Office of Hearings and Appeals document posted online.
His access to classified information was approved.
(Reporting by Arshad Mohammed in Washington and Joseph Menn in San Francisco; Additional reporting by Mark Hosenball; Editing by David Storey, Sue Horton and Alan Crosby)