(Bloomberg) — The vast cyber-attack in Washington began with, ofall things, travel reservations.

More than two years ago, troves of personal data were stolenfrom U.S. travel companies. Hackers subsequently made off withhealth records at big insurance companies and infiltrated federalcomputers where they stole personnel records on 21.5 million people— in what apparently is the largest such theft of U.S. governmentrecords in history.

Those individual attacks, once believed to be unconnected, nowappear to be part of a coordinated campaign by Chinese hackers tocollect sensitive details on key people that went on far longer —and burrowed far deeper — than initially thought.

But time and again, U.S. authorities missed clues connecting oneincident to the next. Interviews with federal investigators andcybersecurity experts paint a troubling portrait of what many arecalling a serious failure of U.S. intelligence agencies to spot thepattern or warn potential victims. Moreover, the problems inWashington add new urgency to calls for vigilance in the privatesector.

In revealing the scope of stolen government data on Thursday,Obama administration officials declined to identify a perpetrator.Investigators say the Chinese government was almost certainlybehind the effort, an allegation China has vehemently denied.

'Facebook of Intelligence'

Some investigators suspect the attacks were part of a sweepingcampaign to create a database on Americans that could be used toobtain commercial and government secrets.

"China is building the Facebook of human intelligencecapabilities," said Adam Meyers, vice president of intelligence forcybersecurity company CrowdStrike Inc. "This appears to be a realmaturity in the way they are using cyber to enable broaderintelligence goals."

The most serious breach of records occurred at the U.S. Officeof Personnel Management, where records for every person given agovernment background check for the past 15 years may have beencompromised. The head of the government personnel office, Katherine Archuleta, resigned Friday as lawmakers demanded toknow what went wrong.

The campaign began in early 2013 with the travel records, saidLaura Galante, manager of threat intelligence for FireEye Inc., aprivate security company that has been investigating the cyberattacks.

Stockpiling Records

By mid-2014, it became clear that the hackers were stockpilinghealth records, Social Security numbers and other personalinformation on Americans -– a departure from the country'straditional espionage operations focusing on the theft of militaryand civilian technology.

"There was a clear and apparent shift," said Jordan Berry, ananalyst at FireEye.

Recognition came too late for many of the victims. Vendors ofsecurity devices say health-care companies are spending tens ofmillions of dollars this year to upgrade their computer systems butmuch of the data is already gone.

U.S. intelligence agencies were collecting information on thetheft of personal data but failed to understand the scope andpotential damage from the aggressive Chinese operation, accordingto one person familiar with the government assessment of what wentwrong.

In the last two years, much of the attention of U.S. nationalsecurity agencies was focused on defending against cyber attacksaimed at disrupting critical infrastructure like power grids.

'Leading Suspect'

But healthcare, financial and work-related data has its ownespionage value. It can be used in targeted intelligence operationsto further penetrate vital U.S. networks or blackmail officials,said Representative Michael McCaul, a Texas Republican and chairmanof the House Homeland Security Committee.

Security companies including FireEye and ThreatConnect Inc. saythe tactics and technology used in the attacks point to hackers inChina, which are consistent with Chinese government espionage.Director of National Intelligence James Clapper said last monththat China was "the leading suspect."

Zhu Haiquan, a spokesman for the Chinese embassy in Washington,denied the allegation and said in an e-mail the Chinese governmentdoesn't engage in cyber attacks.

Server Manuals

As far back as November 2013, hackers began rummaging throughdocuments for configuring computer servers at the Office ofPersonnel Management. That breach wasn't discovered until March2014, Donna Seymour, the agency's chief information officer, told aCongressional committee last month. The hackers then returned inJune 2014 and went undetected until this past April, she said.

That initial breach gave hackers access to manuals about theagency's servers and information technology. That, in turn,propelled the second wave of attacks.

"When this plays out, we're going to find that this was the stepthat allowed them to come back and why we're in this mess today,"said Representative Jason Chaffetz, a Utah Republican.

U.S. Investigative Services disclosed last August that it hadbeen breached, and in December a breach at KeyPoint GovernmentSolutions Inc. was revealed. It's unclear how long hackers wereinside the two companies.

Not Notified?

Eric Hess, KeyPoint's chief executive officer, and RobGiannetta, USIS' chief information officer, have said theircompanies weren't notified about the problems at the Office ofPersonnel Management, even though they should have been undercontractual obligations.

The agency disputes those assertions and says it sharedinformation with the two companies, as well as CACI InternationalInc., another contractor.

The hackers eventually obtained log-in credentials of a KeyPointemployee in late 2014 which they used to further penetrate theagency's network.

The cyber attacks were mostly discovered by accident — or onlyonce the attackers had time to burrow deeply into computer systemsand steal volumes of data. Some of the targets were attackedmultiple times.

Attackers were inside health-insurer Anthem Inc.'s Indianapolis,Ind.-based network for 10 months before being discovered, accordingto a person familiar with the matter, who asked to remain anonymousgiven the sensitivity of the breach. The company disclosed inFebruary that hackers may have compromised personal data for asmany as 80 million people.

Anthem spokeswoman Kristin Binns said the company's informationsecurity procedures worked and enabled the company to detect thecyber attack.

DNI Warnings

The Office of the Director of National Intelligence declined tocomment on whether it issued specific warnings related to theattacks, but it does routinely provide such alerts, spokeswomanKathleen Butler said.

Around the same time as the Anthem attack, the FBI warnedcompanies of cyber-attacks from infrastructure within China aimedat stealing sensitive business and personal data. But the alertcame more than a year after the attacks first began, privateinvestigators now conclude. Health insurers Premera Blue Cross,serving Washington state, and Carefirst Inc., based in Maryland,disclosed their networks had been breached in May, becoming thelatest known campaign victims.

The FBI declined to comment on whether warning signs weremissed, but FBI Director James Comey told members of CongressWednesday that he was also a victim of the Office of PersonnelManagement attack. The hackers likely now have his SF-86 form, adetailed questionnaire for applying for national security positionsin the U.S. government.

"So it's not just my identity that's affected, it's you know — Igot siblings, I got five kids," Comey told members of the Senateintelligence committee. "All of that is in there, and so thenumbers quickly grow far beyond the number of federal employees,which is millions over the last 20 years."