Congress ponders: OPM data breach could total 32 million Americans

As many as 32 million Americans might have had their most sensitive data stolen in a breach of the federal government’s human resources agency computers, lawmakers speculated Wednesday as pressure grew on President Obama to oust the woman who heads the agency that botched its cybersecurity.

Katherine Archuleta, director of the Office of Personnel Management, fought for her job, telling the House Oversight and Government Reform Committee that she, herself, is likely a victim of the breach and takes it seriously.

But her uneven performance, which often included reading rote responses from prepared notes rather than answering direct questions, didn’t sit well with key lawmakers, who called for a housecleaning at the agency.

“I think you’re part of the problem. I think if you want different results, we’re going to have to have different people,” said committee Chairman Jason Chaffetz, Utah Republican.

He also told OPM Chief Information Officer Donna K. Seymour that she was “in over your head.”

The hearing was held just hours after a cybersecurity firm reported that it found federal employees’ login and password information littered across the Internet and said dozens of agencies were vulnerable to the same kind of hack that befell the OPM.

Many workers use the same login and password combination for private purposes as well as work. When hackers breach some systems, they post the contents online. That includes federal employees’ logins, said Recorded Future, a cybersecurity threat intelligence firm.

The OPM has acknowledged losing data in two breaches: One intrusion stole personal information of about 4.2 million current and former federal employees, and hackers in the second breach gained access to the background check system, with some of the most sensitive information on millions of Americans who have filled out the government’s background check packet.

The White House has insisted that President Obama still has faith in Ms. Archuleta, but Congress has lost patience. Her rocky performance Wednesday didn’t help matters.

At one point, Ms. Seymour, Ms. Archuleta’s deputy for technology systems, acknowledged that the agency might have broken federal law and contracts by not informing a key company about the first data breach more than a year ago.

Ms. Archuleta refused to disclose how many people have been affected by the data breaches in total. Although the OPM has calculated that 4.2 million people had data stolen in one breach, officials cannot figure how many had information stolen in the more intrusive hack of federal background check systems.

She vehemently denied press reports that the data of 18 million people had been breached and said the final tally may be lower, but she couldn’t rebut Mr. Chaffetz’s speculation that it could be nearly twice that number.

“So it could be as high as 32 million?” Mr. Chaffetz prodded.

“I will not give a number,” Ms. Archuleta retorted. She again refused to shoulder blame for the breaches. She said the hackers are formidable but her agency is responding quickly to the problem. Her office released a cybersecurity plan that included hiring a cybersecurity adviser by Aug. 1 and trying to learn best practices from industry leaders.

That is in addition to a modernization plan the OPM has put into place to update its systems.

“I am committing to you that we’re going to do the best job that we can,” she said.

The agency’s inspector general said he has major concerns with how Ms. Archuleta’s staff is proceeding and predicted the costs will balloon far beyond the $93 million the OPM has projected. Even if the $93 million figure is accurate, the agency has no idea where it will get the money, inspector general Patrick McFarland said.

“The approach that they’re taking, I believe, will fail,” Mr. McFarland said. “They’re going too fast. They’re not doing the basics. And if that’s the case, then we’re going to have a lot of problems down the road.”

He also said the OPM is secretive and appears to be hiding key information from its own watchdog, delaying answers and giving nondefinitive responses.

Criticism spread at the hearing from the OPM to include some of the contractors that work with the agency and suffered their own breaches: U.S. Investigations Services and Keypoint Government Solutions.