The OPM data breaches were referred to as “catastrophic,” “devastating,” and even deemed more serious to national security than the 9/11 World Trade Center attacks by New York Congresswoman Carolyn Maloney, D-N.Y., during the U.S. House Committee on Oversight and Government Reform's Tuesday morning hearing on the breaches.
But even with strong adjectives and extreme comparisons, to say the hearing was insightful would be generous.
Rep. Stephen Lynch, R-Mass., addressed Katherine Archuleta, director of OPM, more than halfway through the nearly three-hour session and said he felt he'd know less coming out of the hearing than he did walking in because of “the obfuscation and the dancing around” that OPM and other witnesses were doing.
Throughout the hearing, OPM staffers, as well as other federal employees associated with the Department of Homeland Security (DHS) and the Office of Management and Budget, among others, fielded questions pertaining to the breaches. Up until now, the exact details, including the exploited vulnerability and the precise number of victims weren't public knowledge. Although the hearing aimed to change that, it still remains unknown.
The committee members' questions primarily centered on security lapses and the agency's failure to address multiple known security weaknesses on its systems, even after the Office of Inspector General (IG) routinely told OPM it had “material weakness” because it had no IT policies or procedures in place.
The IG also previously noted that 23 percent of OPM's major information systems lacked proper security authorization, and nearly half of those systems were in the office of agency CIO Donna Seymour. Furthermore, it came out during the hearing that OPM failed to encrypt employees' Social Security numbers.
Archuleta justified this decision by saying attackers could have decrypted the personal information if they held the proper credentials. Although this might have been the case, Committee Chairman Jason Chaffetz, R-Utah, didn't care for her reasoning.
“You failed utterly and totally,” he said.
When Chaffetz followed up to ask Archuleta for details on whose information might have been impacted and dating how far back, time and time again, Archuleta deferred to a “classified setting,” or a closed-door meeting scheduled for after the public hearing.
All Archuleta would say is that around 4.2 million were impacted in the first breach, and the second breach's scope remained to be seen.
Without an answer to their questions, at least one Representative called for something else: an apology.
“When is OPM going to apologize to over 4 million federal employees that just had their personal data compromised,” asked Ted Lieu, D-Calif. "When is OPM going to apologize to federal employees that had personally devastating information released through their SF-86 forms?"
He and other committee members then pushed further, calling for leadership to step down.
“I'm looking here today for a few good people to step forward, accept responsibility, and resign for the good of the nation,” Lieu said.