The federal personnel agency’s watchdog said Tuesday that officials there have a history of failing to take basic steps to protect the security of their computer networks.
Michael Esser, the Office of Personnel Management’s assistant inspector general for audit, testified at a House hearing on the vast hack of federal employee data that for years, many of those in charge of information technology for OPM had no IT background. Esser also said the agency has not disciplined any employees for the agency’s failure to pass numerous cybersecurity audits.
Esser offered these key takeaways at a contentious hearing before the House Oversight and Government Affairs Committee. Angry accusations against OPM officials by Democrats and Republicans consumed much of the three-hour hearing, but the federal IT experts who testified shared some new details about the attack, which was discovered in April and disclosed this month.
An official with the Department of Homeland Security confirmed that there is a “high probability that data was removed from the network,” meaning that the hackers did not just have access to employees’ personnel files and security clearance forms, but extracted some of them from the system.
OPM Chief Katherine Archuleta said the agency, through a private contractor, is notifying 4.2 million current and former employees that their personnel information may have been exposed. That information, in addition to the database containing background information for security clearances, could date as far back as 1985.
But Archuleta cautioned that the total number of people whose information may have been compromised is still unknown.
Sylvia Burns, chief information officer for the Interior Department, where OPM’s data is hosted, testified that the hackers had access to all information that’s stored in Interior’s data center. But she said that so far, investigators have not discovered that data from other agencies was stolen.
The hacked personnel database contains Social Security numbers, addresses, job history, life insurance designations and other employment details for executive branch employees. But military service records, even if the employee served in other branches of government, also are in the database, Archuleta testified.
She said the agency fends off an average of 10 million hacking attempts a month.