The Washington PostDemocracy Dies in Darkness

OPM still isn’t saying how many people were caught up in its breaches

Katherine Archuleta director, Office of Personnel Management, testifies before a House Oversight and Government Reform Committee hearing on Capitol Hill in Washington, Tuesday, June 16, 2015. (AP Photo/Cliff Owen)

Lawmakers want to know how many people were caught up in cyber attacks at the Office of Personnel Management. Today, agency officials said they still don't have answers.

On June 4, OPM revealed that personal information about 4 million current and former government was breached. The next week, it said a separate breach had hit the system that houses information about people who applied for security clearances. But the agency has not said how many people were affected by the second hack.

"I don't have a number for you on that," OPM chief Katherine Archuleta said when asked about the scope of the second breach by Sen. Jerry Moran (R-Kan.) in a Senate Appropriations Committee hearing.

The agency, she said, is still investigating. One problem is that the compromised security clearances database includes information not only about applicants, but their families, close friends, neighbors and contacts with foreign nationals.

"[A] federal background investigation file may have a number of different names and [personally identifiable information] within it," Archuleta said. "So that's why I can't give you a specific number on that one."

Archuleta said "millions" of files were compromised, but declined to give a more precise figure, saying she wanted to be confident in a number before it was released.

Some media reports have suggested that the total number of people caught up in both breaches will be significantly higher than the 4 million linked to the first incident. CNN, citing officials familiar with the issue, reported this week that FBI Director James Comey said in a closed-door Senate briefing that data about an estimated 18 million people had been compromised.

In the wake of the attacks some lawmakers have called for Archuleta's resignation and criticized OPM for not doing more to prevent the breaches.

During the hearing, Archuleta argued that no one at the agency was "personally responsible" for the breach, instead blaming the hackers and "enterprise-wide" failures.