21.5 Million Exposed In Second Hack Of Federal Office
The revelation revived lawmakers’ calls for high-level resignations in the Office of Personnel Management.
By David Perera
@daveperera
POLITICO: Hackers stole sensitive information on 21.5 million people in the recently disclosed breach of the federal government’s background-check database, the Obama administration said Thursday — a shocking number that revived lawmakers’ calls for high-level resignations in the Office of Personnel Management.
OPM Director Katherine Archuleta told reporters she will not resign and won’t fire her chief information officer despite mounting calls for her to leave.
House leadership added their names to the mostly Republican pile today, with House Speaker John Boehner calling on President Barack Obama to “install new leadership at OPM.”
Sen. John McCain (R-Ariz.) also called for Archuleta’s head, saying the new numbers were “nothing short of staggering,” and adding that “it is time for new leadership at OPM to address the serious failures that led to this disastrous breach.”
But from across the aisle, Sen. Mark Warner (D-Va.) also called on her to go, the first Democrat in the Senate to do so.
“The technological and security failures at the Office of Personnel Management predate this director’s term, but Director Archuleta’s slow and uneven response has not inspired confidence,” the senator said in a statement. “It is time for her to step down, and I strongly urge the administration to choose new management with proven abilities to address a crisis of this magnitude with an appropriate sense of urgency and accountability.”
The hack, one of two the beleaguered office disclosed in June, swiped what one security expert has called “crown jewels material” that would be of great use to foreign spy services, including information on mental health treatment and drug and alcohol use involving people applying for security clearances. The data also included fingerprints of 1.1 million Americans.
The office also revealed last month that a separate cyberattack had stolen Social Security numbers, phone numbers and addresses of 4.2 million current and former federal employees. The victims in that attack included several members of Congress.
Officials have anonymously blamed both attacks on hackers in China. The two affected populations of victims overlap, with 3.6 million individuals affected by both data breaches, placing the overall tally at 22.2 million.
With that total, the OPM data breach is not the largest ever, even against the federal government. In 2006, the personal data of 26.5 million active duty and retired military personnel was stolen from a Veterans’ Affairs Department laptop. The largest private-sector hacks, such as the 80 million records stolen from health insurer Anthem earlier this year, have involved many times more individuals.
But the total is still big enough to demand sweeping changes at OPM, said House Oversight and Government Reform Chairman Jason Chaffetz (R-Utah), whose panel grilled Archuleta last month at a hearing on the agency’s security lapses.
“As I’ve said since June 16, after the Oversight Committee held the first hearing on this disastrous data breach, Director Archuleta and CIO Donna Seymour need to resign or be removed,” Chaffetz said in a statement Thursday. He added: “Their negligence has now put the personal and sensitive information of 21.5 million Americans into the hands of our adversaries. Such incompetence is inexcusable.”
But Archuleta said Thursday that she won’t step down.
“I am committed to the work that I am doing at OPM,” she said during a press call, adding that federal officials are “working very hard” to improve cybersecurity. “I have trust in the staff, including Donna Seymour.”
OPM’s critics have expressed outrage at what they call a series of dumbfounding lapses, such as failing to encrypt Social Security numbers or require people who log on remotely to use “two-factor” identification procedures that go beyond just a login and password. But Archuleta has rejected blame over the attacks, telling Senate appropriators last month that she doesn’t believe that “anyone is personally responsible.”
“If there is anyone to blame, it is the perpetrators,” said Archuleta, a former Denver schoolteacher and Obama For America organizer who has also served as chief of staff to former Labor Secretary Hilda Solis.
Archuleta was never qualified to hold the OPM job in the first place, GOP lawmakers said today.
“She ended up in this position because of her political and fundraising experience for the president, and she’s had some experience in the government, but if you were to compare her background experience to the head of personnel for a large Fortune 100 company or Fortune 500 company, she probably would have difficulty to get that job,” Rep. Will Hurd (R-Texas) told POLITICO.
But, since the first calls for her resignation came in June, the White House has defended Archuleta. “The president does have confidence that she is the right person for the job,” spokesman Josh Earnest told reporters June 17.
A federal official speaking on background said Thursday that OPM struggled to calculate a final figure for the larger hack of the security database, in part because agency officials were uncertain about whether to count people whose stolen information was less sensitive. Federal officials including Archuleta shied away until Thursday from providing a number, despite mounting calls from Congress after the White House belatedly acknowledged the second breach on June 12.
The 21.5 figure breaks down to 19.7 million individuals who applied for a background investigation and an additional 1.8 million consisting mostly of spouses or live-in partners. Americans with background investigations conducted before the year 2000 are unlikely affected the breach.
In addition to announcing the number Thursday, OPM said it will offer three years of free monitoring and protection services to people whose Social Security numbers were in the security background database.
Among the services it’s offering is continuous credit monitoring, identity theft insurance and identity restoration in the event that the information is abused.
“There is no information at this time to suggest any misuse or further dissemination of the information that was stolen from OPM’s system,” Archuleta said.
Counter-intelligence experts say that makes it much more likely that the hackers were spies not thieves, since the data would be worth millions of dollars on the black market.
Federal officials have said the hackers stole copies of the 127-page disclosure forms, known as SF-86, in which people applying for security clearances expose a wealth of deeply personal information, including their mental health histories and names of foreign nationals they’re close to, as well as more run-of-the-mill data such as the names, physical and email addresses and telephone number of neighbors. The stolen records in some cases include findings from interviews conducted by background investigators, along with fingerprints.
“If you have my SF-86, you know every place I’ve lived since I was 18, contact people at those addresses, neighbors at those addresses, all of my family, every place I’ve traveled outside the United States since I was 18,” Comey said Thursday. “If I had substantial contact with any non-United States person, it’s on there, along with the contact information of that person. Just imagine you were a foreign intelligence service and you had that data, how it might be useful to you. So it’s a big deal.”
For example, security experts have said, Chinese agents could search the database for instances when agents with NSA covers were in the same place at the same time and make reasonable deductions about what they were doing there. Chinese intelligence may also find the identities of their own citizens in close communication with cleared personnel, since applicants reveal close or continuing contact with foreign nationals.
Counterintelligence experts have also said the database will allow China to select the most likely targets for recruitment, blackmail or even just a phishing attack, based on who has privileged access to federal computer systems.Thieves also stole SF-85 forms, the less intrusive questionnaire for non-sensitive positions.
The four Democratic senators who represent the national capital region — Warner and fellow Virginia Sen. Tim Kaine, along with Maryland Sens. Ben Cardin and Barbara Mikulski — introduced legislation to provide additional protections to federal workers Thursday evening.
Calling the OPM’s offer “severely lacking in the duration and extent of coverage,” the four introduced the Reducing the Effects of the Cyberattack on OPM Victims Emergency Response, or RECOVER Act of 2015. The bill mandates expanded, lifetime identity theft monitoring and $5 million of insurance coverage for federal workers, contractors and other individuals affected by the breach, according to a statement.
“This adjustment to what OPM has previously offered more adequately addresses the egregious nature of this federal cyberattack,” the statement went on.
Federal officials on the afternoon press call resisted naming the perpetrator but said their lack of public comment doesn’t necessarily mean they haven’t been active.
“Just because were aren’t doing public attribution does not mean we are not taking steps,” said White House Cybersecurity Coordinator Michael Daniel, who said the administration is looking at “all the different ways and all the different tools that we have to respond.”
Whoever they were, it was the same actor who undertook both attacks, said Andy Ozment, a Department of Homeland Security cybersecurity official. The adversary first penetrated OPM networks in May 2014, and used that attack to breach an OPM system hosted by the Department of Interior in October 2014, he said.
Tal Kopan contributed to this report.
