The Washington PostDemocracy Dies in Darkness

New OPM data breach numbers leave federal employees anguished, outraged

Federal Diary

Katherine Archuleta, director, Office of Personnel Management, gestures while she testifies before the Senate Appropriations subcommittee on Financial Services and General Government hearings to review IT spending and date security at the Office of Personnel Management last month. (Cliff Owen/Associated Press)

If misery loves company, the Office of Personnel Management had a couple of good days. Then, its cyber sinkhole got much, much deeper.

News about computer problems grounding United Airlines, shutting the New York Stock Exchange and taking the Wall Street Journal’s home page offline momentarily overshadowed OPM’s problems and demonstrated how vulnerable the digital world is, even in the private sector.

But OPM’s world — and that of federal employees — became significantly more miserable with its announcement Thursday that personal data for 21.5 million federal employees, contractors, applicants and family members was stolen in the cyber theft of security clearance information. That’s on top of the 4.2 million pilfered files OPM announced June 4 involving another breach of federal personnel records.

Not only is the number of victims in the theft of background investigation files much greater than the hit on OPM’s personnel records, but so is the magnitude of pillage.

The loot includes “identification details such as Social Security Numbers; residency and educational history; employment history; information about immediate family and other personal and business acquaintances; health, criminal and financial history; and other details,” according to OPM. “Some records also include findings from interviews conducted by background investigators and fingerprints. User names and passwords that background investigation applicants used to fill out their background investigation forms were also stolen.”

In other words, the thieves got damn near everything.

Calling the new number “staggering,” William R. Dougan, president of the National Federation of Federal Employees, said that “it is not yet clear how OPM can handle this massive increase, when they were already struggling with the initial 4.2 million. Now, not only do federal employees have to worry about their own personal information being exposed — but they must also worry about their spouse and children having their information compromised.”

As soon as the number was released, the calls to fire OPM Director Katherine Archuleta increased.

Contending that she and Donna Seymour, OPM’s chief information officer, were negligent and that they “consciously ignored the warnings and failed to correct these weaknesses” in the agency’s cybersecurity network, House Oversight and Government Reform Committee Chairman Jason Chaffetz (R-Utah) said, “Again, I call upon President Obama to remove Director Archuleta and Ms. Seymour immediately.”

Last month, he initiated a letter to Obama, signed by 18 House members, urging her removal. The three top Republicans in the House, Speaker John Boehner (Ohio),  Majority Leader Kevin McCarthy (Calif.) and Majority Whip Steve Scalise (La.) for the first time added their voices to the effort. So did Sen. Mark R. Warner (Va.), the most prominent Democrat so far.

During a phone call with reporters, Archuleta said she would not resign.

“I am committed to the work that I am doing at OPM,” she said, adding that she has trust in Seymour and OPM’s staff. “We are working very hard, not only at OPM, but across government to ensure the cybersecurity of all of our systems, and I will continue to do so.”

That commitment has not been effective enough for those affected by the two breaches. Even with the 3.6 million overlap between the two breaches, they number more than 22 million, enough to be the third most populous state, between Texas and Florida.

The stolen information has not been used by anyone, Archuleta said. But the theft victims are still worried. Another big fear is that the information is an espionage goldmine for the culprits, reportedly the Chinese, who could use it to compromise national security.

OPM is offering various services for the 21.5 million victims, including credit monitoring, identity theft insurance and fraud surveillance for at least three years. It created an “online incident resource center,” and promised to establish a call center in the coming weeks.

But no matter what is done after the theft, it will not be enough for those whose information was stolen.

“For these 21.5 million people, a lifetime’s worth of information was exposed,” said Richard G. Thissen, president of the National Active and Retired Federal Employees Association. “They deserve nothing less than a lifetime of protection. Three years is not enough and will not bring peace of mind to those awaiting official notification that they were impacted by this incident.”

OPM has been providing the 4.2 million affected by the hack of personnel records with 18 months of identity theft insurance.

The region’s senators — Virginia’s Warner and Timothy M. Kaine, and Maryland’s Benjamin L. Cardin and Barbara A. Mikulski, along with Del. Eleanor Holmes Norton (D.C.), all Democrats — have introduced legislation that would provide affected people with free lifetime identity protection and $5 million in identity theft insurance.

Citing outrage at the expanse of the breach, Cardin said that “off-the-shelf solutions are not good enough. We need to plug the holes in the federal network and make sure our workers, their families and all those who have been violated are held harmless from any damage that may be done.”

Added Norton: “Our lifetime protection would at least ease some of the anguish.”

But certainly not all of it.