The US government's human resources agency still has no idea how many people were affected by massive hacks it suffered last year. All the Office of Personnel Management (OPM) has been able to say so far is that millions of government staffers had their personal data, including Social Security numbers and security clearance information, stolen. Exactly how many were hit, and precisely what data was taken, OPS either doesn't know or is not saying.
But Archuleta also confirmed officially for the first time that OPM still doesn't know how many current and former government employees were victims of a second, separate breach, this one affecting data on security clearance applications and background checks, data that experts believe is a "gold mine" for foreign spies.
Archuleta said during a congressional hearing that OPM does not have "an estimate" of the number of people hit in this second breach, because various agencies "feed into OPM background investigation system," and OPM is still working with these agencies to figure out exactly who was affected.
OPM does not have "an estimate" of the number of people hit in this second breach.
"We do not have that number at this time," she said, before dodging a series of questions from Rep. Jason Chaffetz (R-UT), the chairman of the House Oversight and Government Reform Committee, who wanted to know whether CIA officers or military members were affected as well.
Those questions, Archuleta said, would be better answered in a separate classified hearing, which would be held on Tuesday afternoon. Archuleta also declined to clarify how far back the data stolen goes, although reports indicate that it might go back decades.
During the hearing, Chaffetz slammed Archuleta and her agency for their "complete and total utter failure" in protecting highly sensitive data on millions of government workers.
OPM's security practices were "akin to leaving all the doors and windows in your house open and expecting that nobody would walk in and nobody would take any information," Chaffetz said, citing a long string of OPM Inspector General reports that detailed OPM's security shortcomings. "How wrong they were."
OPM's security practices were "akin to leaving all the doors and windows in your house open and expecting that nobody would walk in."
Archuleta and her colleague Donna Seymour, OPM's chief information officer, failed to provide much more information about the hack during the hearing, and got slammed because of it.
"I wish that you were as strenuous and hard working at keeping information out of the hand of hackers as you are keeping information out of the hands of Congress and federal government employees," Rep. Stephen Lynch (D-MA) told Archuleta. "You're doing a great job stonewalling us, but hackers, not so much."
One thing that Archuleta did admit, though, was that data such as Social Security numbers was not encrypted. But this failure to protect the data would not have mattered because the attackers had access to valid login credentials, according to Andy Ozment, the assistant secretary of the Office of Cybersecurity and Communications at the Department of Homeland Security, who also testified during the hearing.
On June 4, OPM revealed that hackers had compromised its network and stolen records about at least 4 million government employees. But the initial estimate of the damage, as it turned out, came up short. The hackers, whom government officials believe to be Chinese, stole much more data than initially thought.
OPM confirmed on Tuesday what multiple outlets had previously reported, that the hackers got their hands on forms and data from current and past government employee's security clearances and background checks.
"You're doing a great job stonewalling us, but hackers, not so much."
One of the forms whose that was likely compromised, known as SF86, is 127 pages long. It is designed to collect all sorts of information from someone applying for a security clearance, especially detailed biographical data that includes embarrassing information on past legal, private, and even criminal troubles. These are all personal details that could be used to blackmail a government worker, or steal his or her identity.
OPM detected the initial breach in April, and three months later, it has yet to come out and clarify exactly what data was stolen and how many people were affected—assuming the agency actually knows the extent of the damage. Meanwhile, hackers on the dark web are claiming to be in possession of the data, and are trying to sell it to the highest bidder. But although some of the leaked data appears to be legitimate, there's no evidence that it comes from this hack, according to experts.