With All Eyes on Pope, OPM Drops Bad News on the Hack
As the Wednesday arrival ceremony for Pope Francis was underway outside the White House, blocks away the Obama administration was announcing it had underestimated the number of fingerprints in federal records swiped by hackers.
The revelation led to new calls from Capitol Hill for overhauling the Office of Personnel Management’s information technology operation.
“As part of the government’s ongoing work to notify individuals affected by the theft of background investigation records, the Office of Personnel Management and the Department of Defense have been analyzing impacted data to verify its quality and completeness. During that process, OPM and DoD identified archived records containing additional fingerprint data not previously analyzed,” Office of Personnel Management Press Secretary Samuel Schumach said.
“Of the 21.5 million individuals whose Social Security Numbers and other sensitive information were impacted by the breach, the subset of individuals whose fingerprints have been stolen has increased from a total of approximately 1.1 million to approximately 5.6 million,” Schumach said. “This does not increase the overall estimate of 21.5 million individuals impacted by the incident.”
Schumach said authorities do not believe the 5.6 million fingerprint records could be easily exploited with current technology, but he noted future developments may change that.
Sen. Ben Sasse, R-Neb., was quick to fire back at the OPM over the timing of the announcement, which came Wednesday morning as much of official Washington was told to stay home because of events related to the pope’s visit. In addition, neither the House nor the Senate was in session because of the observance of Yom Kippur.
“Today’s blatant news dump is the clearest sign yet that the administration still acts like the OPM hack is a PR crisis instead of a national security threat,” Sasse said. “The American people have no reason to believe that they’ve heard the full story and every reason to believe that Washington assumes they are too stupid or preoccupied to care about cybersecurity.”
The timing of the announcement looked questionable, taking place as the White House press corps was focused on the pope, but Schumach said the Pentagon and the OPM made the disclosure as early as was practical.
“OPM is committed to full transparency as we work through the background investigation records intrusion. OPM and DoD very recently identified archived records containing additional fingerprint data not previously analyzed, and spent the past several days further analyzing this data,” Schumach told CQ Roll Call. “Yesterday, we began informing members of Congress, as well as the OPM inspector general, of these newly identified archived records, and disclosed that this would change the fingerprint number previously reported.”
He said the final total of the fingerprint records involved was confirmed Wednesday morning.
A spokeswoman for Senate Homeland Security and Governmental Affairs Chairman Ron Johnson, R-Wis., told CQ Roll Call the statement OPM sent to reporters was the same as what the committee received, despite White House Press Secretary Josh Earnest telling reporters that consultations had happened with relevant parties at the Capitol.
“The time-frame for this announcement is that there was a previously scheduled meeting between senior leaders at OPM and relevant members of Congress, with whom OPM has been working throughout this incident, and this additional information about the scope of the intrusion and the material that was affected by the intrusion was only recently determined,” Earnest said, responding to a query about the timing of the newest release. “This new information was communicated to relevant members of Congress just days after it was learned, and once that information was communicated to Congress it was also communicated to the public.”
The news of the expanded scope of the breach comes just ahead of a state visit by Chinese President Xi Jinping. China has been widely reported to be behind the intrusion in the federal records. Earnest said he had no formal announcements about culpability, however.
“This is something [that] continues to be under investigation by authorities,” Earnest said. “There are some reports about what those authorities have learned as they’ve been conducting this investigation over the last several months, but I don’t have any conclusions to share publicly about who may or may not have been responsible.”
The handling of the security situation has already led to the resignation of Katherine Archuleta as OPM director, but Rep. Jason Chaffetz of Utah, the chairman of the House Oversight and Government Reform Committee, is signaling he wants more to be done regarding senior IT personnel.
“OPM keeps getting it wrong. This breach continues to worsen for the 21.5 million Americans affected. I have zero confidence in OPM’s competence and ability to manage this crisis. OPM’s IT management team is not up to the task,” Chaffetz said in a statement. “They have bungled this every step of the way.”
Government Operations Subcommittee Chairman Mark Meadows, R-N.C., likewise said via Twitter that “OPM IT officials once again failed the American people.”
See photos, follies, HOH Hits and Misses and more at Roll Call’s new video site.
Get breaking news alerts and more from Roll Call in your inbox or on your iPhone.