The controversy over the computer breach of 21 million federal employment records ballooned Friday as the director of the government’s personnel office resigned and the Department of the Navy warned that pirated information included the fingerprints of more than 1 million people.
Office of Personnel Management Director Katherine Archuleta, who had resisted demands that she quit, personally submitted her resignation to President Barack Obama, who accepted it.
“I conveyed to the president that I believe it is best for me to step aside and allow new leadership to step in, enabling the agency to move beyond the current challenges and allowing the employees at OPM to continue their important work,” Archuleta said in a statement.
Late in the day, the Department of the Navy sent out a notice to its more than 436,000 active and reserve personnel and more than 195,000 civilian employees warning them that the stolen information included “the findings of interviews conducted by background investigators and approximately 1.1 million included fingerprints.”
“Significant numbers of current, former, and prospective military members and government civilians, as well as contractors, have been affected,” said the notice, which added that advisories would be sent out in the coming weeks to Navy personnel affected by the hack.
The Department of the Navy “continues to assess the risks associated with these data breaches. It is prudent to assume that we are all affected by the compromise of this information,” it said.
The Navy statement was the most explicit warning to date of the seriousness of the breach, which, combined with a smaller but related hack of a database that was revealed last month, underscored the vulnerabilities of government computers.
The Navy statement was likely to increase the fears that the pilfered personal data could be used to blackmail federal workers and contractors with top-secret clearances.
U.S. officials have said that the attacks on the OBM computer system appeared to have originated in China, although the investigation is expected to take some time to complete.
The pilfered data, which was not encrypted, included Social Security numbers, residency, health, employment and education histories and information on family members and friends. In the cases of 19.7 million people who’d applied for security clearances, the data also included highly sensitive material on criminal records, drug use and love lives. Information on about 1.8 million non-applicants, mostly spouses or cohabitants of applicants, also was stolen.
Most of the background checks impacted by the hack took place in 2000 or later, but individuals who underwent checks prior to 2000 could also have been affected, the Navy said.
“It will . . . take years before the full security repercussions may be known, and the intelligence community is already taking steps to address any new vulnerabilities posed by the compromise of this data,” said Rep. Adam Schiff of California, the senior Democrat on the House Intelligence Committee.
White House spokesman Josh Earnest insisted that Archuleta had resigned “of her own volition.” He declined to say whether any of Obama’s personal data was swept up and who the administration suspects was responsible for the breach. He also refused to discuss what the administration believes the hackers intend to do with the stolen information.
“Obviously we want to make sure that those who may be affected by this breach get as much protection and support that we can offer them,” Earnest said.
OPM will provide those affected with credit reporting and identity theft prevention services, and it is setting up a call center from which they could obtain advice, he said.
Earnest could not put a price tag on the cost of the theft protection services and didn’t have a time line for when people might be notified that they were hacked.
But he said the administration is “working very aggressively” to alert those affected. “Promptly notifying those individuals whose data may have been compromised is a top priority of the investigation,” he said.
An administration official, who requested anonymity because he wasn’t authorized to discuss the issue publicly, said that “multiple attempts” had been made to contact all 4.2 million people affected by the first breach.
Of that number, more than 850,000 have enrolled to receive complementary 18-month subscriptions to identity protection services.
Some 3.6 million people affected by the first breach also lost personal data in the second, more massive hack, he said.
Archuleta resigned a day after she disclosed the theft of the personal information of 21.5 million federal job applicants and current and past employees whose backgrounds her agency reviewed. At that time, she said she had no intention of submitting to calls for her to quit from lawmakers on both sides of the aisle.
Her disclosure of the massive breach followed the revelation last month of a separate but related theft of the Social Security numbers and other information of 4.2 million current and former federal workers that was stored in a database maintained at the Department of the Interior.
Word of Archuleta’s resignation was applauded by members of Congress who had been pushing for her departure, charging that she had ignored warnings from her agency’s own inspector general to implement protective upgrades to OPM’s computer systems.
“This is the absolute right call,” said Rep. Jason Chaffetz, R-Utah, the chairman of the House Oversight and Government Reform Committee. “OPM needs a competent, technically savvy leader to manage the biggest cybersecurity crisis in this nation’s history.”
Republicans have sought to use the cyberattacks to accuse Obama of poor management, with former Florida Gov. Jeb Bush, a leading GOP presidential candidate, last month charging that if he had been president, Archuleta would have been fired.
The head of the country’s largest federal employees union, however, blamed the breaches on deep cost-cutting by Congress.
“Budget austerity has consequences and we are seeing one of them right now,” said J. David Cox Sr., national president of the American Federation of Government Employees. “OPM could and should have done a better job of cybersecurity with the resources they had. But going forward, I hope one lesson learned from these breaches is that when you refuse to fund the operations of government you will have hugely consequential failures.”
Archuleta will be replaced temporarily by Beth Colbert, a deputy director at the Office of Management and Budget, until a successor can be found.