Confusion Reigns Over OPM Data Breach
The Office of Personnel Management and the FBI have wildly divergent estimates of the total number of individuals affected by recent OPM data breaches, and the discrepancy of approximately 14 million has caused concern amongst lawmakers.
FBI officials have found that an estimated 18.2 million people are at risk of having their personal information stolen, but OPM Director Katherine Archuleta said that she does “not believe that this is an accurate number.” At a Senate Committee on Homeland Security and Governmental Affairs hearing June 25, she estimated that only 4.2 million have been affected.
Archuleta said that she does not “have an understanding" of how the FBI came up with its estimate. She acknowledged that she has yet to personally meet with FBI Director James B. Comey to discuss the discrepancy.
Sen. John McCain, R-Ariz., took issue with Archuleta’s lack of discussion with Comey, saying that it seemed that the matter did not “rise to her level of attention.”
“When there is a clear situation here of an allegation by the most respected law enforcement agency in America of 18.2 million, [and what] you’re alleging is 4 million, wouldn’t you sit down with the director of the FBI and say ‘Hey, the American people need to know, especially those 14 million between four and 18 million that may have been breached?” he asked. “Why wouldn’t you sit down with the FBI to find out where they got their information so you can corroborate it or deny it?”
The argument about numbers is not the only source of contoversy. While multiple reports have surfaced blaming China for the two recent hacks on OPM’s system, Archuleta deferred the line of questioning from the Senate committee, saying “OPM is not responsible for attribution.”
Quoting Comey, Sen. Tom Carper, D-Del. said: “There are two kinds of big companies in the U.S.: those that have been hacked by the Chinese and those who don’t know they’ve been hacked by the Chinese.”
Two separate breaches of OPM's networks were discovered earlier this year. The first, in which federal employee personal and financial information was hacked, was discovered in April. A second breach involving background investigation information was detected in May.
Notifications have been sent to 4.2 million federal employees potentially affected by the first data breach. OPM is currently unsure of the total number of individuals affected by the second.
“This massive theft of data may be the largest breach the federal government has seen to date,” said Committee Chairman Ron Johnson, R- Wisc. “Cybersecurity on federal agency networks has proved to be grossly inadequate. Foreign actors, cyber criminals and hacktivists are accessing our networks with ease and impunity.”
OPM has been hacked five times in the past three years, Johnson said, three of which happened on Archuleta's watch, which began 18 months ago.
OPM Inspector General Patrick McFarland, who has warned OPM multiple times of its vulnerability to cyber threat, stated the agency has continued to “neglect” and “ignore” his warnings and suggestions of shutting down OPM’s IT system infrastructure.
“I don’t know why they were ignored but they were ignored, in my estimation,” he said.
Archuleta said she did not follow McFarland’s guidance because she “had to make a very conscious and deliberate decision as to the impact of shutting down" the vulnerable systems. “I made a conscious decision that we move forward with this ... [and] make improvements as rapidly as possible. And we have done that,” she said.
Following the detection of the breaches, the Office of Management and Budget launched a 30-day "Cybersecurity Sprint" in an effort to further improve federal cyber infrastructure and protect systems against evolving threats, said Tony Scott, U.S. chief information officer for OMB. The strategy stemming from the initiative will detail short, medium and long-term steps that the government should take to address current operational deficiencies and vulnerabilitie, he said.