Confusion Reigns Over OPM Data Breach

CYBERSECURITY

Confusion Reigns Over OPM Data Breach

6/26/2015
By Allyson Versprille

Taylor Feuss

The Office of Personnel Management and the FBI have wildly divergent estimates of the total number of individuals affected by recent OPM data breaches, and the discrepancy of approximately 14 million has caused concern amongst lawmakers.

FBI officials have found that an estimated 18.2 million people are at risk of having their personal information stolen, but OPM Director Katherine Archuleta said that she does “not believe that this is an accurate number.” At a Senate Committee on Homeland Security and Governmental Affairs hearing June 25, she estimated that only 4.2 million have been affected.

Archuleta said that she does not “have an understanding" of how the FBI came up with its estimate. She acknowledged that she has yet to personally meet with FBI Director James B. Comey to discuss the discrepancy.

Sen. John McCain, R-Ariz., took issue with Archuleta’s lack of discussion with Comey, saying that it seemed that the matter did not “rise to her level of attention.”

“When there is a clear situation here of an allegation by the most respected law enforcement agency in America of 18.2 million, [and what] you’re alleging is 4 million, wouldn’t you sit down with the director of the FBI and say ‘Hey, the American people need to know, especially those 14 million between four and 18 million that may have been breached?” he asked. “Why wouldn’t you sit down with the FBI to find out where they got their information so you can corroborate it or deny it?”

The argument about numbers is not the only source of contoversy. While multiple reports have surfaced blaming China for the two recent hacks on OPM’s system, Archuleta deferred the line of questioning from the Senate committee, saying “OPM is not responsible for attribution.”

Quoting Comey, Sen. Tom Carper, D-Del. said: “There are two kinds of big companies in the U.S.: those that have been hacked by the Chinese and those who don’t know they’ve been hacked by the Chinese.”

Two separate breaches of OPM's networks were discovered earlier this year. The first, in which federal employee personal and financial information was hacked, was discovered in April. A second breach involving background investigation information was detected in May.

Notifications have been sent to 4.2 million federal employees potentially affected by the first data breach. OPM is currently unsure of the total number of individuals affected by the second.

“This massive theft of data may be the largest breach the federal government has seen to date,” said Committee Chairman Ron Johnson, R- Wisc. “Cybersecurity on federal agency networks has proved to be grossly inadequate. Foreign actors, cyber criminals and hacktivists are accessing our networks with ease and impunity.”

OPM has been hacked five times in the past three years, Johnson said, three of which happened on Archuleta's watch, which began 18 months ago.

OPM Inspector General Patrick McFarland, who has warned OPM multiple times of its vulnerability to cyber threat, stated the agency has continued to “neglect” and “ignore” his warnings and suggestions of shutting down OPM’s IT system infrastructure.

“I don’t know why they were ignored but they were ignored, in my estimation,” he said.

Archuleta said she did not follow McFarland’s guidance because she “had to make a very conscious and deliberate decision as to the impact of shutting down" the vulnerable systems. “I made a conscious decision that we move forward with this ... [and] make improvements as rapidly as possible. And we have done that,” she said.

Following the detection of the breaches, the Office of Management and Budget launched a 30-day "Cybersecurity Sprint" in an effort to further improve federal cyber infrastructure and protect systems against evolving threats, said Tony Scott, U.S. chief information officer for OMB. The strategy stemming from the initiative will detail short, medium and long-term steps that the government should take to address current operational deficiencies and vulnerabilitie, he said.

Topics: Cyber, Cybersecurity

Comments (0)

Name *

Email *

Comment *

Please enter the text displayed in the image.

Characters *

Legal Notice *

NDIA is not responsible for screening, policing, editing, or monitoring your or another user's postings and encourages all of its users to use reasonable discretion and caution in evaluating or reviewing any posting. Moreover, and except as provided below with respect to NDIA's right and ability to delete or remove a posting (or any part thereof), NDIA does not endorse, oppose, or edit any opinion or information provided by you or another user and does not make any representation with respect to, nor does it endorse the accuracy, completeness, timeliness, or reliability of any advice, opinion, statement, or other material displayed, uploaded, or distributed by you or any other user. Nevertheless, NDIA reserves the right to delete or take other action with respect to postings (or parts thereof) that NDIA believes in good faith violate this Legal Notice and/or are potentially harmful or unlawful. If you violate this Legal Notice, NDIA may, in its sole discretion, delete the unacceptable content from your posting, remove or delete the posting in its entirety, issue you a warning, and/or terminate your use of the NDIA site. Moreover, it is a policy of NDIA to take appropriate actions under the Digital Millennium Copyright Act and other applicable intellectual property laws. If you become aware of postings that violate these rules regarding acceptable behavior or content, you may contact NDIA at 703.522.1820.

I have read the legal notice.

Find an Article VIEW ALL ARTICLES