WASHINGTON (AP) — The FBI deviated from its own policy to notify victims of computer hacking when it left U.S. officials and other Americans in the dark about Kremlin-aligned attempts to break into their personal Gmail accounts, The Associated Press has learned.
FBI policy calls for notifying victims, whether individuals or groups, to help thwart both ongoing and future hacking attempts. The policy , which was released in a lawsuit filed earlier this year against the FBI by the nonprofit Electronic Privacy Information Center, says that notification should be considered “even when it may interfere with another investigation or (intelligence) operation.”
That doesn’t appear to have happened in the case of the Russian government-aligned hacking group known as Fancy Bear, which tried to break into the Gmail accounts of more than 500 U.S.-based targets between 2015 and 2016, according to data obtained by AP. The news agency interviewed nearly 80 of them, including senior policymakers, and found only two who said they learned of the efforts to hack into their Gmail accounts from the FBI.
“It’s just remarkable to me that the Bureau did not do what it was supposed to do,” said Marc Rotenberg, executive director of the Electronic Privacy Information Center.
The lapse prompted Democratic Rep. Ted Lieu to call for an FBI briefing to Congress on its notification policy.
“The FBI’s response to this advanced persistent threat appeared to have been deficient and demands further attention,” he wrote in a letter to FBI Director Christopher Wray released Tuesday. “It is unacceptable that targeted U.S. officials learned about these attacks on their own accounts from news reports rather than from their own government.”
The FBI did not immediately respond to requests for comment on this story. Late last week, the agency declined to discuss its investigation into the spying campaign and said in a statement: “The FBI routinely notifies individuals and organizations of potential threat information.”
However, three people familiar with the matter — including a current and a former government official — said the FBI has known about the Gmail spying operation for more than a year.
A senior FBI official, who was not authorized to publicly discuss the hacking operation because of its sensitivity, said the Bureau was overwhelmed by the sheer number of attempted hacks. “It’s a matter of triaging to the best of our ability the volume of the targets who are out there,” he said.
In the face of a tidal wave of malicious phishing attempts, the FBI sometimes passes on information about the attacks to service providers and companies, who can then relay information to clients or employees, he added.
The AP, which acquired a list of about 4,700 targeted email accounts, has reported in recent weeks on the global reach of the hacking operation and the strategy used to steal the emails of the Democratic Party and presidential campaign of Hillary Clinton. Tens of thousands of those emails were leaked online in advance of the November election. U.S. intelligence agencies have concluded that Fancy Bear works for the Russian government and meant to push the election in favor of Donald Trump. The Russian government has denied interfering.
Many of those who were told they were in the Kremlin’s cross-hairs were long-retired, but some were still in government or held security clearances at the time they were targeted. It’s not clear how many may have given up their email passwords or what the hackers may have acquired in stolen email.
However, some accounts held emails dating back years, when even many of the retired officials still occupied sensitive posts. And intelligence experts say Russian spies can use personal correspondence as a springboard for further hacking, recruitment or even blackmail.
“The onus is on the FBI right now to explain why they didn’t follow their policies, as we are reading them,” said Elizabeth Hempowicz, director of public policy at the Project on Government Oversight.
Other government watchdogs said that the government agents who respond to such foreign hacking operations need more oversight as they respond to this ballooning problem — and public accountability.
“There should be a public report about how widespread this activity is, so that every American will know about it — and that didn’t happen here,” said Louis Clark, CEO of the Government Accountability Project.