Although there was no evidence of data theft or lateral movement, the agency’s investigation revealed that unauthorized access to various sensitive information, including security plans and user accounts, may have occurred.