OPM shuts down background investigation system, faces lawsuit
OPM shut down one of its background investigation systems after it discovered a vulnerability, on that same day, the country's largest federal employee union filed a lawsuit against the agency.
The U.S. Office of Personnel Management (OPM) shut down part of its background investigation system on Monday after the agency discovered internal vulnerabilities.
The E-QIP web-based platform is used to complete and submit background investigation forms, OPM wrote in a press release, and it could be offline for four to six weeks while being patched.
“The actions OPM has taken are not the direct result of malicious activity on this network, and this is no evidence that the vulnerability in question has been exploited,” the press release stated. “Rather, OPM is taking this step proactively, as a result of comprehensive security assessment, to ensure the ongoing security of its network.”
The vulnerability was discovered during a review of the agency's IT systems.
While Director Katherine Archuleta continued to bear the brunt of legislators' fury over the agency's two disclosed data breaches, OPM now faces a lawsuit from the largest federal employees union.
The American Federation of Government Employees, which represents 65,000 federal employees, filed suit in the U.S. District Court for the District of Columbia on Monday. It claimed that officials' negligence, including the actions of Archuleta and CIO Donna Seymour, led to the data breach of SF-86 forms
More specifically, the lawsuit cited recommendations made by the Office of Inspector General to improve OPM's security. These suggestions were never acted upon. The lawsuit also referenced a separate data breach on an OPM contractor's systems as a source of the data incident.
“The combination of KeyPoint's cyber security weaknesses and the OPM's cybersecurity failures caused the massive scope of the OPM breach,” the lawsuit said.
Although the lawsuit focused on the breach of personal information gleaned from SF-86 forms, Archuleta has yet to provide a specific number of those affected. Most media outlets have speculated the number of victims will come out to around 18 million, although the number 32 million has also been cited, as that is the number of current and former federal employees for whom OPM has records in its database.
Reports now indicate that OPM might provide a concrete number as early as next week. This possible timeline was noted during a conference call between OPM, the Department of Homeland Security and congressional staffers.