Now that Congress has completed its cross-examination of Katherine Archuleta, at least for the moment, she’ll have more time to figure out what happened during the massive theft of federal employee records.
After four congressional hearings, including three last week, many questions remain for the Office of Personnel Management (OPM) director. Despite persistent interrogation by skeptical and angry senators and representatives, some of whom called for Archuleta’s replacement, the key question of how many people were affected has still not been resolved.
The answer started out bad and can get worse.
Social Security numbers, birthdates and other personally identifiable information of 4.2 million current and former federal employees were stolen during the cyberattack. That number does not cover a different breach of OPM systems that held the confidential information from the background investigations of current, former and prospective federal employees who needed security clearances. Archuleta said reports that the number could jump to 18 million were unverified, but an OPM statement leaves us with this caution: “It is important to note that this is an ongoing investigation that could reveal additional exposures.”
That provides no comfort for those whose information could end up in the hands of foreign agents or criminals planning bogus financial deals.
One federal employee, Robert Jones, was unhappy to learn from media reports, not OPM, that the attack hit files containing extremely personal and detailed information about employees and applicants seeking clearances.
“Quite a shock if you know anything about the level of disclosure required in those security investigation forms,” wrote Jones, one of a number who responded to online queries from the Federal Diary. “Someone literally has enough information to step into my life. They know my SSN, DL#, friends, family, address history, work history, criminal history, financial history, everything.
“Credit monitoring is nice,” Jones added, “but it doesn’t come close to making up for the violation of privacy that occurred on their watch.”
OPM offered 18 months of credit monitoring and identity theft insurance, but a common complaint is that that is not enough.
“I think the credit monitoring should be for life and not just 18 months,” said Ted Bergeron, who works at the Portsmouth Naval Shipyard and was in other ways impressed with OPM. “After all, I can’t cancel my SSN and get a new one like I could with a credit card.”
While some employees were understanding about OPM’s reaction to the hack — “I’m not sure what else OPM could have done once millions of records had been compromised,” said David Rochlin, an Environmental Protection Agency (EPA) staffer in Denver — anger and frustration were more common.
“OPM is supremely unqualified to handle this,” said Alicia Valentino, a National Credit Union Administration employee.
Members of Congress said similar things to Archuleta. OPM responded vigorously, with statements and reports on the agency’s efforts to protect its cyber treasures. A public affairs office that once seemed sleepy and averse to putting even benign information on the record, jumped to life with written statements attributable to Samuel Schumach, the press secretary. He placed the best light possible on Archuleta’s testimony after her congressional appearances.
“One of her first priorities was the development of a comprehensive IT Strategic Plan, which immediately identified security vulnerabilities in the agency’s aging legacy systems, and embarked our agency in an aggressive modernization and security overhaul of our network and its systems,” said his Thursday statement.
But it’s clear that cyber-protection technology can be beaten by cyber-theft technology — and not just at OPM.
OPM also issued a report on its “Actions to Strengthen Cybersecurity and Protect Critical IT Systems.” It listed “23 concrete steps to improve information security” that happened “under Director Archuleta’s leadership” and 15 “new actions” that Archuleta has directed “be carried out with all due speed.”
Unfortunately, “all due speed” is too slow if you are the victim of a hack attack.
Dispatches have suggested the Chinese hacked OPM’s files for intelligence purposes, and there have not been widespread reports of bogus financial transactions related to the cyber theft. But Hannah Branning, an EPA scientist in Dallas, said she has experienced one. “I had to change my checking account because it was hacked,” she said. “I had two of my credit cards numbers stolen and over $5,000 worth of bogus charges made.”
Something else, even more important than credit card numbers, was stolen by the cyber thieves — trust.
“This comes right after I received a letter about my CareFirst account being hacked,” said Jennifer Ford, a Social Security Administration worker in Severna Park. “And just a few months ago, both my checking and credit card accounts were fraudulently accessed and money was taken out. I’ve been considering taking everything offline.
“I cannot trust my bank, my health insurer, my employer, or my creditors with my data.”
Masuma Ahuja, a Washington Post deputy digital editor, contributed to this report.