Federal officials acknowledged Thursday that hackers managed to steal information on more than 21 million Americans from the government’s background check computers, including details of their health and financial histories, as the shocking outlines of the breach finally became clear.
After weeks of downplaying the hack, the Office of Personnel Management acknowledged that the numbers were worse than even the figures they had been downplaying earlier, and critics said the type of information stolen is a cybersecurity nightmare because the kinds of personal details would let a hacker pose successfully as someone else.
The hack also extended beyond federal employees, grabbing information about family members and roommates of people who once applied for security clearance.
OPM Director Katherine Archuleta, who announced the details in a phone press conference, insisted she won’t resign in the wake of the troubling findings, saying it was because of her efforts that the breach was even discovered.
But the calls for her to be fired grew among both Democrats and Republicans on Capitol Hill.
“Too much trust has been lost, and too much damage has been done,” said House Speaker John A. Boehner, Ohio Republican. “President Obama must take a strong stand against incompetence in his administration and instill new leadership at OPM so we can move forward in a fashion that begins to restore the confidence of the American people.”
OPM said the breach of background check computers affected 19.7 million people who had applied for background checks and 1.8 million others — mostly spouses or “co-habitants” of those who applied.
The information stolen is a road map for future cybersecurity breaches: passport numbers and travel history; complete personal health, education, employment and financial information; and a complete family tree.
Taken together, that is the kind of personal data that could allow a hacker to successfully impersonate someone online, by answering gatekeeper questions such as mother’s maiden name or where someone used to live.
Details from the background check interviews of more than 1 million also were stolen, OPM acknowledged.
“China may now have the largest spy-recruiting database in history,” Sen. Ben Sasse, Nebraska Republican, wrote in an op-ed for Wired.com, warning that the breach could be even worse that the OPM is letting on. “OPM says it has ’high confidence’ it understands the full scope of the data losses. I’m skeptical. This is the same crowd that could not detect the hacks in the first place.”
The background check breach is in addition to information stolen on 4.2 million Americans from another OPM system.
There is some overlap with people whose information was stolen in both breaches, so the total number of unique individuals affected is likely just more than 22 million. The government said it is offering credit monitoring and identity theft insurance to all of those who have been affected by both breaches.
The “giga-boatload” of stolen personal information “about everybody who has worked for, tried to work for, or works for the United States government” creates a national security issue, FBI Director James Comey said during a Thursday roundtable discussion.
“It’s a very big deal from a national security perspective and a counterintelligence perspective, as you might imagine,” he said, adding that he is probably one of those who has been affected personally.
He said he expects his Standard Form 86 — known as SF-86, a 127-page questionnaire for national security clearance that asks all the probing questions — is now in the hands of “the adversary.”
“My SF-86 lists every place I’ve ever lived since I was 18, every foreign travel I’ve ever taken, all of my family, their addresses. So it’s not just my identity that’s affected. I’ve got siblings. I’ve got five kids. All of that is in there,” he said.
The OPM systems were hacked more than a year ago, but the agency is only now detailing it — and it’s worse than officials had let on.
Last month, Ms. Archuleta dismissed reports that some 18 million people had data compromised and hinted to Congress that the number would likely be lower.
The OPM did not lay blame for the hack, but lawmakers briefed on the situation have said the culprits were likely Chinese.
Ms. Archuleta defended herself in a blog posting and in a conference call with reporters, saying she would not resign and taking credit for discovering both breaches, which she said would have gone undetected but for security enhancements put into place during her tenure.
She also said there is no evidence that the stolen data have been used.
“I am committed to the work that I am doing at OPM,” she said, adding that she also had faith in Donna Seymour, the chief information officer at OPM.
Ms. Archuleta becomes the latest administration official to end up in crosshairs after embarrassing agency failures. Mr. Obama fired the chiefs of the Internal Revenue Service and the Department of Veterans Affairs after scandals there, but Health and Human Services Secretary Kathleen Sebelius survived more than six months after she oversaw the botched 2013 rollout of Obamacare exchanges.
Republicans said Ms. Archuleta missed the warning signs, including repeated reports by her agency’s inspector general that urged her to take cybersecurity more seriously, and to shut down programs that were in danger of being compromised.
She refused to shut down the systems at the time, saying it would have caused more harm to background checks. But she reversed herself last week, taking one system — a Web-based background check program known as e-QIP — offline to make security upgrades.
Most of the calls for Ms. Archuleta’s dismissal have come from Republicans — besides Mr. Boehner, Majority Leader Kevin McCarthy of California, Majority Whip Steve Scalise of Louisiana and Oversight and Government Reform Committee Chairman Jason Chaffetz of Utah.
But Sen. Mark R. Warner, Virginia Democrat, added his voice to the growing list Thursday, saying that while security problems at the OPM predate Ms. Archuleta, her “slow and uneven response has not inspired confidence.”
“It is time for her to step down, and I strongly urge the administration to choose new management with proven abilities to address a crisis of this magnitude with an appropriate sense of urgency and accountability,” Mr. Warner said.
• Stephen Dinan can be reached at sdinan@washingtontimes.com.
Please read our comment policy before commenting.