Hearing Wrap Up – OPM: Data Breach Full Committee Meeting
Witnesses:
Ms. Katherine Archuleta, Director, U.S. Office of Personnel Management<
Ms. Donna K. Seymour, Chief Information Officer, U.S. Office of Personnel Management
Dr. Andy Ozment, Assistant Secretary, Office of Cybersecurity and Communications, U.S. Department of Homeland Security
Mr. Tony Scott U.S. Chief Information Officer, U.S. Office of Management and Budget
Ms. Sylvia Burns, Chief Information Officer, U.S. Department of the Interior
Mr. Michael R. Esser, Assistant Inspector General for Audits, U.S. Office of Personnel Management
TAKEAWAYS:
- State sponsored and non-state sponsored hackers are aggressive, motivated, persistent and well-funded in their attempt to breach government and commercial systems.
- For the breach at OPM, 4.2M individuals will be informed that their information has been compromised, and that the information taken, including data related to security clearances, could date as far back as 1985.
- However, the total number of those affected is still unknown. During the hearing, Director Archuleta indicated that, “any federal employee from across all branches of government, whose organization submitted service history records to OPM, may have been compromised.”
- OPM made a conscious decision to ignore repeated warnings from the Inspector General.
- DHS confirmed that it is a “high probability that data was removed from the network.”
- While OPM had the responsibility for encrypting data like Social Security numbers they failed to do so.
PURPOSE:
- To provide Members an opportunity to gain information on the nature and extent of the recent U.S. Office of Personnel Management (OPM) data breach.
- To discuss federal agency compliance with the Federal Information Security Management Act (FISMA).
BACKGROUND:
- On June 4th, OPM announced a data breach and its plan to notify approximately 4 million individuals whose personally identifiable information (PII) may have been compromised. OPM’s data center is housed by the U.S. Department of the Interior.
- The full extent of the data breach, including who was affected and what information was accessed, is still unknown.
- The data may have been unencrypted, making employee information immediately usable if extracted.
Key Videos:
Chaffetz:
“You failed, utterly and totally”
Mulvaney:
“That’s what frightens me, Ms. Archuleta, that this is the best of your ability”
Russell:
“‘We did not encrypt because we thought they might be able to decipher’ That is just baffling to me”