The Washington PostDemocracy Dies in Darkness

After the latest hack attack, can feds trust Uncle Sam with their personal information?

Office of Personnel Management headquarters. (Wikimedia Commons)

For federal employees, the massive data breach at the Office of Personnel Management (OPM) raises a troubling question: Why should the government be trusted to protect their personal information?

OPM says a “cybersecurity incident,” revealed on Thursday, was detected in April. “Incident” is small word for a big theft, a serious and far-reaching hijacking that endangers the personal information, including Social Security numbers, of 4 million current and former federal employees. The cybertheft began in December.

But it’s not the word choice that has federal workers and members of Congress upset. It’s the three Ts — trust, times and time.

On trust, “given the repeated major digital security failures and the lack so far of meaningful accountability, unless the Congress funds and the president takes swift and decisive corrective action, it is impossible to argue that federal employees should trust their employer with their personal information,” said Lee Stone, a NASA scientist and an International Federation of Professional and Technical Engineers officer.

Those repeated failures speak to the number of times the personal information of federal employees has been the target of digital intrusion across government, not just OPM.

[Federal Diary: Working for Uncle Sam can be risky]

“The number of reported information security incidents involving personally identifiable information (PII) has more than doubled over the last several years” at federal agencies, from 10,481 in fiscal year 2009 to 25,566 in 2013, the Government Accountability Office reported last year.

OPM, however, is in a particularly critical position because in some ways it functions like the government’s personnel office. An inspector general’s audit in November said “the drastic increase in the number of systems operating without a valid Authorization is alarming and represents a systemic issue of inadequate planning by OPM program offices to authorize the information systems that they own.”

Samuel Schumach, OPM’s press secretary, defended the agency, saying “OPM took action in February 2014 and developed an aggressive plan to bolster our IT networks and databases and adopt state-of-the-art security protocols.” He noted the audit “credited OPM for developing a plan to strengthen IT security policies” and “where the audit found certain weaknesses, OPM was at that time already planning and implementing certain upgrades and controls.”

If OPM is behind on cybersecurity, which it is, it has plenty of company.

For fiscal year 2014, 19 of 24 major federal agencies reported that deficiencies in information security controls constituted either a material weakness or significant deficiency in internal controls over their financial reporting,” GAO reported in April. “In addition, inspectors general at 23 of these agencies cited information security as a major management challenge for their agency.”

[GAO’s April report on cyberthreats facing federal agencies]

Another attack on an OPM database was discovered in March 2014. Employees weren’t informed until July, leading to complaints like those heard now about the third T – time – as in the time it takes for agencies to inform staffers about an attack.

Lucy Barber said she’s heard from colleagues about “the outrage [at] the delay between the government knowing about the breach and notifying employees.”

There is outrage in Congress, too. “OPM needs to do what they should have done weeks ago and personally contact each current and former employee impacted and provide all of their resources to help our civil servants deal with this intrusion,” said Rep. Don Beyer (D-Va.).

After learning of the latest intrusion in April, OPM worked with the Department of Homeland Security’s Computer Emergency Readiness Team “as quickly as possible to assess the extent of the malicious activity and to identify the records of individuals who may have been compromised,” Schumach said. “During the investigation, OPM became aware of potentially compromised data in May 2015.  With any such event, it takes time to conduct a thorough investigation and identify the affected individuals.” OPM planned to begin contacting employees Monday.

As disturbing as all this is, at least the credit rating of feds might not be at risk. As my colleague Ellen Nakashima reported, the Chinese allegedly stole the information possibly to build their own database of federal employees, not to make bogus flat-screen television purchases at Target, which was the victim of an earlier hack attack.

[With a series of major hacks, China builds a database on Americans]

Previous cyber-hits coupled with the recent one cause Congress, not just the rank and file, to worry about OPM’s ability to protect the workforce.

The latest “reported breach is part of a troubling pattern by this agency in failing to secure the personal data of federal employees – the second major breach in a year,” said Sen. Mark R. Warner (D-Va.). “. . .We cannot afford to keep dragging our feet in addressing the escalating threats posed by hackers out to steal individuals’ personal information.”

One scary thought from OPM:  “Since the investigation is on-going, additional PII (personally identifiable information) exposures may come to light.”