UPDATE–The ever-expanding data breach at the Office of Personnel Management has now spread to include the Social Security numbers and other personal data of a total of 21.5 million people, and the toll also now includes the agency’s director, Katherine Archuleta, who resigned Friday morning.
Archuleta had been under an increasing amount of pressure ever since the hack came to light last month. Legislators last month took Archuleta and CIO Donna Seymour to task for not addressing security deficiencies and failing to implement controls such as database encryption and two-factor authentication agency wide. Archuleta said during the hearing before the House Committee on Oversight Government Reform that protecting users was her highest priority.
“You have completely and utterly failed, if that was your mission,” Rep. Jason Chaffetz (R-Utah) said during the hearing.
Archuleta informed President Barack Obama on Friday that she was resigning, according to a report in the New York Times. Archuleta had been director of OPM since 2013.
Members of Congress said there are still many challenges awaiting the next OPM director.
“The challenges OPM faces are daunting and span far beyond the critical task of securing the agency’s information technology systems. They also include managing the immediate crisis faced by tens of millions of federal employees who have had their personal information compromised, overhauling the process by which our nation processes security clearances, improving oversight and accountability of contractors entrusted with this information, and working with the Government Accountability Office and the Inspector General to ensure that there is strong support for the agency’s path forward,” said Rep. Elijah Cummings (D-Md.).
The new total of people affected by the data breach comes as officials at OPM, the FBI, and DHS continue a forensic investigation into the attack on OPM, which began last December.
Officials said that in addition to the 4.2 million people affected by the breach who already have been notified, 19.7 million people who applied for a background check, and 1.8 million non-applicants such as spouses also are affected.
“While investigating this incident, in early June 2015, OPM discovered that additional information had been compromised: including background investigation records of current, former, and prospective Federal employees and contractors. OPM and the interagency incident response team have concluded with high confidence that sensitive information, including the Social Security Numbers (SSNs) of 21.5 million individuals, was stolen from the background investigation databases. This includes 19.7 million individuals that applied for a background investigation, and 1.8 million non-applicants, primarily spouses or co-habitants of applicants,” OPM officials said in a statement Thursday.
The details of the OPM breach, scant as they are at the moment, paint an ugly picture of the security practices inside the agency. OPM staffers detected the compromise in April and subsequently discovered that the attack went back as far as December 2014. Audits by the Office of the Inspector General had found systemic weaknesses in OPM’s security infrastructure, among them the existence of many undocumented systems on the agency’s network and a weak vulnerability scanning program.
OPM officials believe that there were two separate compromises of the agency’s network. The first attack resulted in the compromise of the background-check information belonging to 4.2 million current and former federal government employees, while the second attack apparently hit the data of 21.5 million additional people.
This story was edited on July 10 to add information on Archuleta’s resignation.