The Office of Personnel Management will notify many more individuals their personal information was compromised than the 4.2 million current and former federal employees the agency initially informed, officials said on Tuesday.
The timing of the second round of notifications, as well as the number of employees who will receive them, is still unknown by OPM. The agency’s director, Katherine Archuleta, confirmed to a congressional panel that OPM discovered, in the course of looking into the initial hack it uncovered in April, a second hack that targeted background investigation and security clearance data.
Archuleta said it will notify the those who went through background investigations their data was compromised “as soon as practicable,” with OPM’s Chief Information Officer Donna Seymour adding the agency first had to identify exactly whose information was hacked. The initial notifications began going out June 8 and will continue through June 19.
Representatives from the Homeland Security Department, Office of Management and Budget, Interior Department -- where OPM’s hacked servers were housed -- and OPM all said they were taking steps to upgrade systems and boost security protocols. The other agencies noted, however, the hack was OPM’s responsibility. Archuleta said, in turn, she inherited “decades old” legacy systems that she was doing her best to modernize them.
That line of defense did little to assuage the concerns of House Oversight and Government Reform Committee members, who complained OPM officials failed to comply with recommendations from its inspector general to improve network protections and were failing to keep hacked employees adequately apprised of the full impact of the breach. Adding to the lawmakers’ frustration was Archuleta’s insistence on relying on canned answers while calling the investigation ongoing and classified.
“Well it didn’t work,” said committee Chairman Rep. Jason Chaffetz, R-Utah, when Archuleta said she had taken steps to improve cybersecurity despite not responding to all of the IG’s recommendations. “So you failed, utterly and completely.” He added: “You made a conscious decision to leave that information vulnerable and it was the wrong decision.” Archuleta said OPM had instituted multi-step authentication and reduced the number of employees with privileged access to the network.
The director later told Rep. Mick Mulvaney, R-S.C., she was “doing her best” to deal with the fallout of the hack, to which Mulvaney responded: “That’s what frightens me, Ms. Archuleta, that this is the best of your ability.”
The criticism did not just come from one party; Rep. Ted Lieu, D-Calif., said heads should roll over the data breach.
“I’m looking for a few good people to step forward, accept responsibility and resign for the good of the nation,” Lieu said. No one responded to Lieu’s request, and Archuleta later admitted no one had been fired in relation to the hack.
Asked if she took responsibility for the breach, Archuleta demurred, saying she only took responsibility for leading OPM. She kicked off her testimony by noting the protection of federal employees was of “paramount importance.”
Rep. Stephen Lynch, D-Mass., accused Archuleta of obfuscating and said he might end up walking away from the hearing knowing less than he did when he entered it.
“You’re doing a great job stonewalling us,” Lynch said, “but the hackers not so much.”
Committee members also lambasted OPM for its lack of communication with federal employees about the details of the hack. Archuleta and Seymour would not specify if military members, contractors or the intelligence community were part of the original or secondary hack, saying that information would have to be provided in the classified briefing also held on Tuesday.
“I’ve read the letter you’ve been sending out to employees and it’s grossly inadequate,” Chaffetz said of the initial notification sent out to federal workers, later adding employees have “a right to know” more about the implications of the hack. Every major federal employee group has voiced its displeasure with OPM’s secrecy on the breach and has requested more information.
Seymour said the hacked information included performance ratings, job functions and training records. The second breach compromised background investigation information found on Standard Form 86, which includes a “longitudinal” record of the employee’s entire career. She also backtracked on current OPM guidance stating the breach included only executive branch employees, saying she was not comfortable with that definition as the investigation was still unfolding. Archuleta confirmed employees’ Social Security numbers were part of the initial hack, and that they were not encrypted, though a DHS official said encryption would not have helped in this case.
Lawmakers were not satisfied with those details.
“We need to be more forthcoming with our own employees,” Lynch said. “These people work for us. They deserve a lot more protection than they’re currently getting from the U.S. government.”
After the hearing, Rep. Mark Meadows, R-N.C., said the hackers themselves are more “in the know” than the average federal employee.
In addition to calling for resignations, Lieu asked OPM to show some remorse.
“One word I haven’t heard is sorry,” Lieu said. “When is OPM going to apologize to federal employees?”
While administration officials consistently said they were doing their best to improve old systems, lawmakers said those efforts would do little to appease feds whose data were already compromised.
Federal employees are “people who dedicate their entire careers, their entire lives to our country,” said Rep. Matt Cartwright, D-Pa. “And now their personal information has been compromised through absolutely no fault of their own.”