The director of the Office of Personnel Management (OPM) is coming under heavy fire on Capitol Hill, with lawmakers on both sides of the aisle demanding that she step down for what could be the most devastating data breach in American history.
Director Katherine Archuleta has taken a beating in a series of tense congressional hearings. Lawmakers have accused her of shifting blame for the hack and moving too slowly to correct persistent security problems that were apparently exploited by China in a breathtaking siege of U.S. networks.
“The hurricane has come and gone and just now OPM is wanting to board up the windows,” said House Oversight and Government Reform Committee Chairman Jason Chaffetz (R-Utah), during a four-hour hearing Wednesday.
“Personal accountability is paramount,” added Chaffetz, who is leading a growing congressional chorus calling for Archuleta to be fired.
Archuleta at one point sparred with Rep. Stephen Lynch (D-Mass.) over who is at fault for the hack that has shaken the government.
“You also testified that no one is to blame, is that right?” Lynch asked.
“I believe the breach was caused by a very dedicated, a very focused actor who has spent much funds to get into our system,” Archuleta replied.
“I have worked since day one to improve …” she added before Lynch cut her off.
“Yeah I understand that,” he said. “You’re blaming the perpetrators.”
On the other side of the Capitol, Senate Majority Leader Mitch McConnell (R-Ky.) took to the Senate floor Wednesday to berate the agency head, though he stopped short of calling for her removal.
“Let’s be honest, this appears primarily to be a management problem,” he said, describing Archuleta’s testimony thus far as “world-class buck passing.”
For two weeks, OPM and Congress have clashed over the extent of the breach.
When officials first announced the OPM intrusion, they said 4.2 million federal workers had been affected.
But just over a week later, the agency officials said they had uncovered a second breach of a separate system that housed background check information for security clearances — the basis for limiting access to some of the nation’s most closely guarded secrets.
The second intrusion laid bare data on millions of military and intelligence community personnel and, potentially, people outside the government, such as friends and family members who were named in background investigations.
The second hack could have affected up to 18 million people, according to reports.
While the government will not say so publicly, it’s widely believed that Chinese hackers pilfered the data from both systems as part of a broader scheme to build a comprehensive database on U.S. government workers. The sensitive data accessed could be used to imitate officials, stage future cyberattacks, or even recruit informants or blackmail administrators.
Despite repeated inquiries during hearings and classified briefings for the House and Senate, lawmakers had complained that OPM was refusing to provide a specific number for the second breach, let alone provide details about exactly who was affected.
That started to change on Wednesday, with alarming results.
“It is my understanding that the 18 million refers to a preliminary, unverified and approximate number of unique Social Security numbers in the background investigation data,” Archuleta said before the Oversight Committee.
The estimate of 18 million people does not include friends and family members named in background checks, Archuleta cautioned, meaning the total could grow if the agency decides those people “should be considered individuals affected by this incident.”
Eighteen million “is a number I am not comfortable with at this time because it does not represent the total number of affected individuals,” she said.