- The Washington Times - Tuesday, June 23, 2015

Federal officials still don’t know how hackers got a hold of credentials that allowed them to break into the government’s main human resources computer system, stealing the most sensitive personal information on millions of Americans, the agency chief told Congress on Tuesday.

Months after the breach was detected, many of the details remain unclear — including how many millions of people have been affected and what kinds of data was stolen.

But Office of Personnel Management Director Katherine Archuleta insisted nobody should be fired or otherwise punished for the breach, saying they are all working diligently to try to get a handle on the situation.

“I don’t believe anyone is personally responsible,” she told the Senate Appropriations Committee. “I believe that we’re working as hard as we can to protect the data of our employees, because that’s the most important thing that we can do. And I take it very seriously. I’m angry as you are that this has happened to OPM, and I’m doing everything I can to move as quickly as I can to protect the systems.”

The Obama administration is working up an estimate to see if it will need to demand more money from Congress to fix the problems, which auditors said extend far beyond OPM and likely touched many agencies who are behind on their technological defenses.

Ms. Archuleta said the latest hack was actually two breaches: One that grabbed the personal information of more than 4 million federal employees, and another that got into the government’s background check system, and may have exposed the most sensitive of information about millions.


SEE ALSO: Iran nuclear deal clouded by long record of deception


It followed three smaller cybersecurity attacks in 2014.

Ms. Archuleta’s explanations aren’t sitting well with some lawmakers who say the questions are stacking up.

“The extent of the damage done by these attacks is not yet fully known, nor is it fully known how quickly OPM has moved to address the most glaring problems,” Sen. Ben Sasse, Nebraska Republican, wrote in a letter to Ms. Archuleta and to White House budget office Director Shaun Donovan and Homeland Security Secretary Jeh Johnson.

He said it’s also not clear that the steps the OPM has taken in the aftermath of the hacks will be effective in protecting systems in the future, and could take up to two years to complete.

Ms. Archuleta said even discovering the two major recent hacks is a sign that her agency is getting better. The attacks traced back to late last year, but weren’t discovered until officials began upgrading systems this year and noticed previous weird activities in the logs.

At least one of the breaches happened because someone used authentication credentials from an OPM contractor, Keypoint, which itself was hit by one of the earlier 2014 breaches.


SEE ALSO: GOP creates training program to improve its 2016 ground game


Ms. Archuleta said they don’t believe the company was at fault — though investigators aren’t sure exactly how the hackers got the credentials.

“We have not identified a pattern or a material deficiency that resulted in the compromise of the credentials,” she said. “And since last year we have been working with Keypoint and they have taken strides in securing its network and have been proactive in meeting the additional security controls that we have asked them to use to protect all of the background data.”

The OPM has promised those affected by the hacks will be given 18 months of credit monitoring and identity risk insurance, at a cost of about $20 million to federal taxpayers. Notices have gone out to the more than 4 million persons identified in one of the hacks.

Sen. James Lankford, Oklahoma Republican, said employees are already reporting long wait times in trying to access the help the government promised — and said some affected workers at other federal agencies find that they can’t even get to the OPM site offering help. It turns out their agencies’s cybersecurity systems have deemed the OPM page a potential scam, and restrict access.

Ms. Archuleta said they’re working on trying to fix that.

• Stephen Dinan can be reached at sdinan@washingtontimes.com.

Copyright © 2024 The Washington Times, LLC. Click here for reprint permission.

Please read our comment policy before commenting.

Click to Read More and View Comments

Click to Hide