WASHINGTON – First, officials said, hackers stole information about 4.2 million people. Then it was 14 million. Then 18 million. Now, it is possible that the data breach at the Office of Personnel Management involves 32 million former, current and prospective federal employees, along with their relatives and references.
OPM suffered a data breach beginning in November but did not become aware of the intrusion until April. Though some officials believe China is behind the hack, OPM Director Katherine Archuleta said at a committee hearing Wednesday that information is classified.
Rep. Jason Chaffetz, R-Utah, chairman of the House Committee on Oversight and Government Reform, asked if OPM keeps records on up to 32 million people. Archuleta refused to confirm. Chaffetz restated the question, growing heated.
“I am not going to give you a number I am not sure of,” Archuleta said. “I look forward to providing an accurate and complete report as soon as possible.”
For Archuleta, Wednesday marked her second appearance before the committee in as many weeks. Some members, including Chaffetz, called for her resignation last week. Those calls rang louder Wednesday.
“I’m not hearing leadership here,” Rep. Barbara Comstock, R-Va., said. “When Target … when they had this problem, it wasn’t just their CIO that lost their job, it was their CEO.”
Archuleta told the committee she is “more committed than ever” to leading OPM.
Archuleta spent Tuesday testifying before a Senate committee. Sen. John Boozman, R-Ark., chairman of the Senate Appropriations Committee, said the OPM lacks clear lines of accountability. Other members asked why OPM had not fully encrypted its employees’ information.
Archuleta played offense.
“These attacks will not stop. If anything, they will grow,” Archuleta said Tuesday. “Indeed, in this case, encryption wouldn’t have prevented the breach.”
The OPM data breach adds to a growing concern over cybersecurity. In 2014 alone, prominent data breaches on U.S. soil included the U.S. Postal Service, Staples, Home Depot and Sony. The Target hack that Comstock mentioned happened in 2013.
The questions from Chaffetz to Archuleta that up to about 32 million personnel records may have been hacked applied heat to the OPM director.
Though the federal government does not have nearly 32 million employees, former, retired and prospective employees’ information may have been lifted during the data breach. In addition, relatives of current, former, retired and prospective employees who filled out Standard Form-86 – used to gain security clearances for some positions – may have had their information stolen.
“It’s easy to make a scapegoat out of someone or something,” Rep. Gerald E. Connolly, D-Va., said. “But what we’re facing is a much bigger threat than a management snafu. To pretend somehow this is Ms. Archuleta’s fault is to really miss the big picture and, frankly, a disservice to our country.”
Connolly said the U.S. is now engaged in a “low-level, but intense, new kind of cold war.”
“People have been warning about the risk of a cyber Pearl Harbor,” Rep. Ron DeSantis, R-Fla., said. “Does this qualify as a cyber Pearl Harbor?”
Ann Barron-DiCamillo, director of computer emergencies at the Department of Homeland Security, shied away from applying such a label to the OPM data breach.
Another question that neither Archuleta nor OPM CIO Donna K. Seymour could answer is whether any foreign nationals are contractors to OPM – a situation that might give them access to the system.
Toward the end of the hearing, Chaffetz took verbal aim at Archuleta.
“I think you’re part of the problem,” Chaffetz said. “If we want different results, we are going to have to have different people. We got a crisis.”
Reach Matthew J. Connor at [email protected] or 202-408-1494. SHFWire stories are free to any news organization that gives the reporter a byline and credits the SHFWire. Like the Scripps Howard Foundation Wire interns on Facebook and follow us on Twitter.
Download photos: Opm-06-22.zip