The agency that manages U.S. government personnel records is investigating whether Social Security numbers for as many as 18 million people were taken in the massive cyber-attack revealed in recent weeks, the director of the federal jobs agency told a congressional hearing Monday.
“The 18 million refers to a preliminary, unverified and approximate number of unique social security numbers in the background investigations data,” Katherine Archuleta, director of the U.S. Office of Personnel Management, testified.
“It is not a number that I feel comfortable, at this time, represents the total number of affected individuals,” she added.
The testimony came during the second hearing in two weeks by the House Oversight and Government Reform Committee into one of the largest and most serious cyber-attack’s in the government’s history. Federal officials familiar with the breach have said that hackers connected to the Chinese government are believed to be responsible for gaining access to forms recording personal information about people who apply for security clearances.
The committee chairman, Representative Jason Chaffetz, a Utah Republican, admonished Archuleta for the agency’s failings to prevent and detect the attack. Chaffetz called for her resignation.
“Archuleta stated no one is personally responsible for the OPM data breach and instead blamed the hackers,” Chaffetz said. “I disagree. As the head of the agency, Ms. Archuleta is—in fact—statutorily responsible for the security of the OPM network and managing any related risk.”
Donna Seymour, OPM’s chief information officer, testified that hackers stole “manuals about the way we do business,” including data about the agency’s servers, in a March 2014 hacking attack, one of two breaches agency officials believe were conducted.
“It would be fair to say that would give you enough information that you could learn about the platform -- the infrastructure -- of our system,” she said.
Chaffetz said that “when this plays out, we’re going to find that this was the step that allowed them to come back and why we’re in this mess today.”
Chaffetz said Archuleta had mislead the federal workforce by saying that no information was accessed in the attack discovered in March 2014. Archuleta defended herself by saying that she meant that no personally identifying information was stolen. The second attack came in June 2014, Seymour said.
Two government contractors were called to address the panel’s questions about whether cyber-attacks on their company networks led to the OPM breaches.
U.S. Investigations Services LLC, the contractor that conducted the security clearance background check on former contractor Edward Snowden and was sued over faulty background checks, notified the panel in writing Monday that a cyber-attack against its network last year affected two divisions of the Department of Homeland Security, intelligence operations and law enforcement agencies.
“Their letter disclosed that the breach at USIS affected not only DHS employees, but our immigration agencies, our intelligence community, and even our police officers here on Capitol Hill,” Representative Elijah Cummings of Maryland said during the hearing Wednesday.
Another government contractor, KeyPoint Government Solutions, sent its chief executive officer to tell lawmakers that there’s no evidence a data breach at the company led to the cyber-attack on OPM.
“We have seen no evidence suggesting KeyPoint was in any way responsible for the OPM breach,” Eric Hess told the panel in written testimony for the hearing.
Archuleta said hackers got into OPM’s network by stealing a credential from a KeyPoint employee. Hess said the employee was working on OPM’s network.
OPM has taken 23 steps, including installing more firewalls and mandating cybersecurity training, to shore up its networks since Archuleta became director, the agency said in a report released Wednesday. Going forward, OPM will hire a new cybersecurity adviser and consider encrypting more data to guard against hackers, the report said.