OPM Data Breach: Part II – Hearing Wrap Up

Published: Jun 24, 2015

Witnesses:
Ms. Katherine Archuleta, Director, U.S. Office of Personnel Management
Ms. Donna K. Seymour, Chief Information Officer, U.S. Office of Personnel Management
The Honorable Patrick E. McFarland, Inspector General , U.S. Office of Personnel Management
Ms. Ann Barron-DiCamillo, Director, U.S. Computer Emergency Readiness Team, U.S. Department of Homeland Security
Mr. Eric A. Hess, Chief Executive Officer, KeyPoint Government Solutions
Mr. Rob Giannetta, Chief Information Officer, USIS 

TAKEAWAYS:

  • Chairman Chaffetz reiterated his call for the resignation of U.S. Office of Personnel Management (OPM) Director Archuleta and Chief Information Officer (CIO) Donna Seymour.
  • There is continued uncertainty surrounding the number of Americans affected by the recent breach.  According to prior testimony from Director Archuleta, OPM maintains personal information of 32M current, former and prospective federal employees. Director Archuleta has failed to state just how many of these people were affected by the breach, citing the investigation as ongoing.
  • OPM was misleading in its disclosure of information surrounding security breaches dating back to at least March, 2014.
    • In discussing a March, 2014 incident to WJLA, Director Archuleta stated “…we did not have a breach in security. There was no information that was lost.”
    • However under oath today, Ms. Seymour contradicted that in saying “…manuals about our servers and the environment…” were taken and that those manuals would “give you enough information that you could learn about the platform, the infrastructure of our system.”
    • Further, contractors were never notified of the March, 2014 breach despite contractual and regulatory language requiring their immediate notification.
    • While the administration disclosed on June 4, 2015 that personnel files had been compromised, they failed to disclose that security clearance data had also been stolen.
  • After years of OPM Inspector General (IG) audit warnings, OPM is now attempting to hastily overhaul its technical infrastructure, but without a full understanding of the scope or the cost of the project according to the IG’s Flash Audit. The IG further stated during the hearing “What I think is planned by OPM is dangerous.”

 

PURPOSE: 

  • To provide members an opportunity to gain additional information on the security of OPM information systems and the data it is entrusted to protect.
  • To examine OPM compliance with the Federal Information Security Management Act (FISMA).

  

BACKGROUND:

  • On June 4, OPM announced a data breach and its plan to notify approximately 4 million individuals whose personally identifiable information (PII) may have been compromised. The full extent of the data breach, including who was affected and what information was accessed, is still unknown.
  • The Committee held a hearing on June 16, 2015, titled, “OPM: Data Breach.” In prepared testimony, OPM Director Archuleta stated that “there was a high degree of confidence that OPM systems related to background investigations of current, former, and prospective Federal government employees, and those for whom a federal background investigation was conducted, may have been compromised.”
  • During the June 16 hearing, OPM Director Archuleta indicated that, “any federal employee from across all branches of government, whose organization submitted service history records to OPM, may have been compromised.”

 

Key Videos:

Chaffetz:

“It was misleading, it was a lie, and it wasn’t true. When this plays out we’re going to find this was the step that allowed them to come back and why we’re in this mess today.”

 

Gowdy:

“Why, despite the plain language of the contract and the plain language of the regulation, why did you not immediately notify the contractor?”

 

DeSantis:

“…it seems we have bureaucratic paralysis, no one is really accountable.”