The Office of Personal Management (OPM) Director, Katherine Archuleta, has been under an increasing amount of pressure these past few weeks after it was revealed that the OPM had suffered a devastating data breach affecting some 4 million government staffers. In light of the breach, many legislators took to Archuleta and CIO Donna Seymore, pressing the duo for not using up-to-date security practices including database encryption and two-factor authentication. As of Friday morning, Archuleta informed President Barack Obama that she has officially resigned after having served as OPM director since 2013.
During the legislative hearing before the House Committee on Oversight Government Reform, Archuleta said that protecting users information was of her highest priorities.
“You have completely and utterly failed, if that was your mission,” Rep. Jason Chaffetz said during the hearing.
Members of Congress said there are still a number of pressing challenges awaiting the next director’s arrival.
“The challenges OPM faces are daunting and span far beyond the critical task of securing the agency’s information technology systems. They also include managing the immediate crisis faced by tens of millions of federal employees who have had their personal information compromised, overhauling the process by which our nation processes security clearances, improving oversight and accountability of contractors entrusted with this information, and working with the Government Accountability Office and the Inspector General to ensure that there is strong support for the agency’s path forward,” Rep Elijah Cummings said.
The new total affected in the data breach of the Office of Personal Management has reached 19.7 million, alongside the past 4.2 million affected bringing the grand total to some 21.5 million government staffers – past, current and present, – have been affected in the breach. The news broke after officials at the OPM, FBI and DHS forensic investigation revealed that the hack that has been ongoing since last December.
“While investigating this incident, in early June 2015, OPM discovered that additional information had been compromised: including background investigation records of current, former, and prospective Federal employees and contractors. OPM and the interagency incident response team have concluded with high confidence that sensitive information, including the Social Security Numbers (SSNs) of 21.5 million individuals, was stolen from the background investigation databases. This includes 19.7 million individuals that applied for a background investigation, and 1.8 million non-applicants, primarily spouses or co-habitants of applicants,” OPM officials said in a statement Thursday.
Details in the OPM breach are vague, if at all present at the moment, but the recent news paints a worrisome picture of the security measures practiced inside the agency. Staffers at the agency originally discovered the hack back in April, and were surprised when the hack dated back as early as December 2014.
What’s even more worrisome is that audits undergone by the Office of the Inspect General (PDF) revealed that the OPM security infrastructure has systemic weaknesses, and among them was an undocumented system of the agency’s network alongside a weak vulnerability scanning program the agency uses keep the servers up-to-date with the latest security standards.
Officials close to the OPM hack believe there were two separate breaches on the internal network. The first resulting in the breach of the background-check system which revealed the information of some 4.2 million workers, while the second likely affected the other 19 million individuals.