Still unknown about one of the largest hacks of government personnel records two weeks after it was revealed: how many of the millions of records pilfered belonged to people working for the military or the country’s intelligence services.
The Office of Personnel Management acknowledged in a statement Tuesday that the hack may have compromised information from background checks into current, former and potential government employees.
But during an appearance before the House Committee on Oversight and Government Reform, OPM Director Katherine Archuleta was reluctant to address publicly the question of how many of those were in sensitive positions. She offered to discuss the issue in a closed-door meeting.
Archuleta promised that her agency would notify the people who may have had their information stolen. But she said investigations are ongoing and it still isn’t clear exactly what information was taken or who was responsible for the attack.
The records of as many as 14 million federal employees may have been accessed.
Archuleta also appeared reluctant to explain why sensitive personal information, like birth dates and Social Security numbers, was not encrypted, drawing a strong response from Chairman Jason Chaffetz, R-Utah.
“We didn’t ask you to come read statements,” he said. “I want to know why you didn’t encrypt the information.”
Archuleta explained that the network used by her agency was too old and that skilled hackers can still extract information, even when encrypted. She said the agency uses other methods of protection instead, such as limiting administrators and requiring multifactor authentication.
Chaffetz dismissed the methods as completely ineffective.
“OK, well it didn’t work,” he said. “You failed. You failed utterly and totally.”
This was not the first hack into government personnel records, and the agency’s inspector general has been warning of a massive attack since 2007. Archuleta said her agency has been taking steps to improve cybersecurity, but these problems are difficult to fix and take time.
After the hearing, Chaffetz called for accountability for government officials who failed to prevent the hack – including Archuleta – and a strong response to the perpetrators of the hack.
“There has to be a consequence for somebody hacking at this level,” Chaffetz said. “It scares me what they might do with that information. I think employees of the federal government are going to be dealing with this for years.”
Rep. Jim Langevin, D-R.I., echoed his sentiment.
“Once we fully know what happened it will determine who’s responsible and who should be held accountable,” he said. “But I want to get all the facts first.”
He also acknowledged the difficulties of crafting a proportional response to a largely unprecedented situation.
“We should take some strong action against the perpetrators,” he said. “But since we don’t have any international rules of the road so to speak, and what appropriate actions and sanctions should be, that’s a challenge.”