Lawmakers hammered the chief of the Office of Personnel Management Wednesday, pressing her to provide an estimate of how many people had their records exposed in the two hacks to the agency’s systems.
During a grueling four-hour hearing before the House Committee on Oversight and Government Reform, Katherine Archuleta said 4.2 million people were affected by the records breach first reported June 4. In another hack into background check information held by OPM, unverified reports found that 18 million people were impacted.
Archuleta noted that the 18 million number was preliminary and said there might be overlap in the two groups, adding she was “not comfortable with” that number.
Committee Chairman Jason Chaffetz, R-Utah, pointed to the agency’s recent budget request, which said OPM held records for as many as 32 million people.
“Are you here to tell me that that information is all safe or is it potentially 32 million records that are at play here?” he asked.
Archuleta demurred. “We’re reviewing the number and the scope of the breach,” she told lawmakers. She added, “I’m not going to give you a number that I am not sure of.”
The panel was the latest of a series of congressional hearings investigating the massive hack of the agency’s systems. In her opening statement, Archuleta laid out plans to better secure the agency’s records. Among them: She wants to bring in a new cybersecurity adviser who would report directly to her by Aug. 1. She also plans to reach out to chief information security officers at private companies that face their own cybersecurity challenges.
But Patrick McFarland, inspector general at OPM, said he was less than enthused with Archuleta’s proposed plan.
“No, that doesn’t satisfy me and my concerns,” McFarland said when asked by the committee’s senior Democrat Rep. Elijah Cummings of Maryland. “We have a whole suitcase of concerns.”
While many lawmakers on both sides of the aisle pummeled Archuleta for information about the hacks, Democratic Rep. Gerry Connolly, who represents a district with a large number of federal employees, urged caution, saying that blaming Archuleta would be shortsighted. He said the hack represents a larger effort by foreign bad actors to break into U.S. government and private enterprise systems in a kind of cyber “Cold War.” Chinese hackers are suspected to be behind the breaches.
“What we’re facing is a much bigger threat than a management snafu,” he said.
Archuleta has defended her reputation. A day before, Archuleta testified before the Senate Appropriations Committee’s Financial Services and General Government Subcommittee that no one at her agency was “personally responsible” for the two hacks.
“I disagree,” Chaffetz said in his prepared statement. “As the head of the agency, Ms. Archuleta is, in fact, statutorily responsible for the security of the OPM network and managing any related risk.”