Breach, Data Security

OPM breach possibly compromises more than 32 million current and former employees’ PII

Office of Personnel Management (OPM) Director Katherine Archuleta isn't talking, or at least she's not providing concrete figures for the second, and possibly historically large, data breach at her agency.

At her second breach-related hearing in front of the House Oversight and Government Reform Committee on Wednesday, Archuleta remained tight-lipped about numbers and wouldn't offer an exact figure of victims affected.

Committee Chairman Jason Chaffetz, R-Utah, didn't accept a delay in producing a number, though, and pointed to a budget request for the year 2016 that Archuleta penned this past February.

In that request she wrote: “As a proprietor of sensitive data—including personally identifiable information for 32 million federal employees and retirees—OPM has an obligation to maintain contemporary and robust cybersecurity controls.”

Feasibly, Chaffetz argued, at least 32 million current and former federal employees could have personal data at risk, and of particular concern is the information provided in SF-86 forms, which are thought to have at least been accessed. Additionally, these forms often ask for other people's information, even those outside the government. They could be impacted as well, Chaffetz said.

Archuleta deflected the questioning, and said she wasn't comfortable confirming any number.

One figure is certain, however, the personnel records data breach at OPM, which was detected in April 2015, impacted at least 4.2 million federal government workers. Those victims were to be notified by June 19.

With no figure for its second breach and multiple remaining questions, legislative members have rallied around the idea of firing or forcing Archuleta's resignation.

One representative feels differently, however.

Representative Gerald E. Connolly, D-Virg., noted during the hearing that to pretend the breaches were Archuleta's fault would be missing the bigger picture.

“We know we are engaged in a low level but intense new kind of Cold War,” he said.

He went on to define it as “cyberwarfare with certain adversaries,” including Russia and China.

Archuleta promised to provide further information pending deeper investigation, but in the meantime, she said she would be hiring a cybersecurity advisor with an Aug. 1 start date. 

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.