The FBI deviated from its own policy on notifying victims of computer hacking when it left many U.S. officials and other Americans in the dark about Kremlin-aligned attempts to break into their personal Gmail accounts, The Associated Press has learned.
FBI policy calls for notifying victims, whether individuals or groups, to help thwart both ongoing and future hacking attempts. The policy, which was released in a lawsuit filed earlier this year against the FBI by the nonprofit Electronic Privacy Information Center, says that notification should be considered "even when it may interfere with another investigation or [intelligence] operation."
The AP interviewed almost 80 Americans, including senior policymakers, and found only two who said they learned of the efforts to hack into their Gmail accounts from the FBI.
"It's just remarkable to me that the Bureau did not do what it was supposed to do," said Marc Rotenberg, executive director of the Electronic Privacy Information Center.
The FBI did not immediately respond to requests for comment on this story. Late last week, the agency declined to discuss its investigation into the spying campaign and said in a statement: "The FBI routinely notifies individuals and organizations of potential threat information."
However, three people familiar with the matter — including a current and a former government official — said the FBI has known for more than a year the details of the hacking attempts by a Russian government-aligned hacking group known as Fancy Bear.
A senior FBI official, who was not authorized to publicly discuss the hacking operation because of its sensitivity, said the Bureau was overwhelmed by the sheer number of attempted hacks. "It's a matter of triaging to the best of our ability the volume of the targets who are out there," he said.
In the face of a tidal wave of malicious phishing attempts, the FBI sometimes passes on information about the attacks to service providers and companies, who can then relay information to clients or employees, he added.
The AP, which acquired a list of about 4,700 targeted email accounts, has reported in recent weeks on the global reach of the hacking operation and strategy used to break into emails of the Democratic Party and presidential campaign of Hillary Clinton.
Tens of thousands of those emails were leaked online in advance of the November election. U.S. intelligence agencies have concluded that Fancy Bear works for the Russian government and meant to push the election in favor of Donald Trump. The Russian government has denied interfering.
In previous AP reports, some targets of the hacking attempts indicated that they were befuddled and upset over the failure of the FBI to alert them. "It's utterly confounding," said Philip Reiner, a former senior director at the National Security Council, who was notified by the AP that he was targeted in 2015. "You've got to tell your people. You've got to protect your people."
The hacking data, which came from the Secureworks cyber security company, showed malicious links crafted for email accounts — but not the account holders.
The AP was able to identify more than 500 of the U.S-based people and groups that were targeted. Among high-ranking former officials who never heard from the FBI were heads of the Defense Intelligence Agency and Air Force Intelligence, a defense undersecretary, a director of cybersecurity for the Air Force, and a director of military support at the Geospatial Intelligence Agency, which employs spy satellites.
Many who went uninformed were long-retired, but about one-quarter were still in government or held security clearances at the time they were targeted. It's not clear how many may have given up their email passwords or what the hackers may have acquired in stolen email.
However, some accounts held emails dating back years, when even many of the retired officials still occupied sensitive posts. And intelligence experts say Russian spies can use personal correspondence as a springboard for further hacking, recruitment or even blackmail.
"The onus is on the FBI right now to explain why they didn't follow their policies, as we are reading them," said Elizabeth Hempowicz, director of public policy at the Project on Government Oversight.
Other government watchdogs said that the government agents who respond to such foreign hacking operations need more oversight as they respond to this ballooning problem — and public accountability.
"There should be a public report about how widespread this activity is, so that every American will know about it — and that didn't happen here," said Louis Clark, CEO of the Government Accountability Project.
Donn reported from Plymouth, Massachusetts. Raphael Satter reported from London.