By Evan Hill · The Washington Post (c) 2025
One U.S. defense contractor set up a way to remotely access an office computer. Another forwarded 37 sensitive but unclassified work emails to a personal account. A third sent three emails with classified information to co-workers on an unauthorized system.
They all lost their federalsecurity clearances as a result of the lapses, ending their work for the Pentagon.
The Washington Post reviewed hundreds of cases involving contractors alleged to have usedunauthorized technology or mishandled sensitive government information – the same types of security violations that experts have said Defense Secretary Pete Hegseth may have committed last month when he disclosed the details of impending airstrikes in Yemen using the commercial messaging platform Signal. Hegseth shared that information with a group that included top national security officials and a journalist from the Atlantic.
Many of the contractorshad repeatedly violated expectations for technology use and information handling or were alleged to haveviolated other security clearanceguidelines, includingthose governing unpaid debts and alcohol abuse.But The Postfound that in at least five cases, the contractor lost their credentials even when they said the alleged infraction was inadvertent or done for convenience and government information had not been compromised.
“These people had their security clearances either denied or revoked for conduct that was far less serious than this, what occurred with the Signal exchange,” said R. Scott Oswald, managing principal at the Employment Law Group, who represents workers who have lost security clearances. Oswald reviewed summaries of the cases identified by The Post.
Though the specific circumstances differ, Oswald and other experts who reviewed summaries of the cases at The Post’s request said they show how ordinary workers have lost security clearances for actions that in key respects are similar to Hegseth’s use of Signal. Hegseth came under a fresh round of criticism this week, including from a key Republican member of Congress, in the wake of a New York Times report that the defense secretary had shared information about the Yemen airstrikes with members of a second Signal group, which included his wife and his brother.
Such attack plans typically are considered so highly classified that accessing them requires a code word and a secure line of communication, former defense officials have said.
In response to a request for comment, Kingsley Wilson, acting press secretary for the Defense Department, referred The Post to Hegseth’s comments during a Tuesday interview on Fox News.
“What was shared over Signal then and now, however you characterize it, was informal, unclassified coordinations for media coordination and other things. That’s what I’ve said from the beginning,” Hegseth said. He claimed that the news reports about his use of Signal were part of an effort to undermine President Donald Trump’s agenda.
Hegseth has not denied the existence of the two Signal chats, but he has consistently downplayed their significance and said he shared no classified information.
Security clearance guidelines are the same for contractors, civil servants and members of the military. They consist of 13 guidelines covering a range of behavior, including foreign influence and criminal conduct. Two of them state that a person may lose or be denied a security clearance for negligently disclosing protected information – including to the media – or using unauthorized information technology.
The Defense Department’s inspector general said this month that his office will scrutinize the initial Signal chat to determine whether Hegseth and others complied with policies “for the use of a commercial messaging application for official business.” It will also examine whether officials obeyed rules concerning “classification and records retention requirements,” acting inspector general Steven A. Stebbins wrote to Hegseth.
To better understand how the Pentagon enforces rules governing the handling of sensitive information, The Post reviewed clearance cases documented on the website of the Defense Office of Hearings and Appeals, an arm of the Defense Department that makes a final ruling when contractors challenge the loss of their clearance. The descriptions on the website do not include the names of the contractors or their employers.
The cases provide a window into how strictly the guidelines have been enforced, but they represent only a small slice of the clearance cases decided across the government, which generally aren’t public and are handled by separate boards inside each agency. The Post could not determine the outcomes of such nonpublic cases that may have involved similar violations.
National security lawyers cautioned that the outcome of a security clearance case depends on multiple factors, including who the administrative judge is, and that rulings are sometimes inconsistent. The Post found some cases in which applicants committed multiple violations involving unauthorized disclosure of sensitive information or use of information technology but still received clearances because judges decided that enough time had passed or applicants had taken corrective action to mitigate the violations.
One of the cases examined by The Post was that of a 56-year-old man who had held a clearance since 1988. He kept a spreadsheet containing both his private information and protected Defense Department information, including a passcode that would help access a government safe at work. He routinely transferred the spreadsheet between his government and personal computers using a USB drive or emails. As a result, his application for a security clearance was denied in 2021.
In another case, a 64-year-old man who worked as a senior principal design engineer and had held a security clearance since the late 1980s plugged a USB drive, which was classified secret, into an unclassified laptop in 2011 to transfer sensitive material to a secured network. His clearance was denied in 2014.
Though the cases identified by The Post differed from the Signal chat in their specifics, they shared important characteristics, such as the use of unauthorized technology and the fact that some of the contractors tried to minimize the significance of their actions afterward, said Steven Aftergood, former director of the Project on Government Secrecy at the Federation of American Scientists.
“Many of them were merely negligent rather than actively malicious,” Aftergood said. “Nevertheless, in every case, their clearances were denied.”
Robert Deitz, former general counsel at the National Security Agency and senior counselor to CIA Director Michael Hayden, said rules governing classified information are “beaten into you the day you start working in the intelligence community.”
“And the rules don’t vary whether you’re a newbie or have been around for 30 years,” he said.
Bradley Moss, a Washington-based lawyer specializing in security clearance cases, said he had “almost complete certainty” that if rank-and-file employees or contractors had engaged in activity similar to the Signal chat, they would have lost their clearance. Criminal prosecution would be a “real serious concern,” he added.
Presidential administrations of both parties have on occasion treated senior officials less harshly than lower-level employees for security breaches, said Moss, pointing to past cases involving Democratic presidential nominee and former secretary of state Hillary Clinton and former CIA director David H. Petraeus.
Hegseth and other senior officials who engaged in the Signal chat are just the latest examples, Moss said, and they continue to work with classified information. “That is what makes this all the more distressing,” he said.