A separate intrusion into the networks of the Office of Personnel Management (OPM) was confirmed by the White House on Monday.
OPM announced that while investigating the first intrusion that compromised records of current and former federal employees additional systems were compromised (Defense Daily, June 5).
“These systems included those that contain information related to the background investigations of current, former, and prospective federal government employees, as well as other individuals for whom a federal background investigation was conducted,” OPM said in a statement.
OPM explained this separate incident was discovered because of the office’s efforts to update its cybersecurity posture, adding several tools and capabilities to its network.
Individuals who may have been affected by this additional breach will be notified by OPM as soon as practicable, the office said.
White House Press Secretary Josh Earnest commented that the second breach likely contained more information than the first.
“I think that what the announcement over the weekend indicated is that there was a second intrusion that was under investigation. It involved a different system and a different set of data. And I think you could logically conclude that there is a likelihood that the amount of data and information was–that a larger amount of data and information was potentially affected. But this is something that still continues to be under investigation by the FBI and DHS.”
Katherine Archuleta, director of OPM, said numbers for the second hack were not fully known yet.
“These systems included information based on the background investigations of current, former, and prospective federal government employees as well as other individuals. Because different agencies feed into OPM background investigation systems in different ways, we are working with the agencies right now to determine how many of their employees were affected. We do not have that number at this time.” she said during a Tuesday hearing at the House Committee on Oversight and Government Reform
In response to forceful questioning from Chairman Jason Chaffetz (R-Utah), Archuleta said OPM’s legacy systems date back to 1985 but it was not yet known how far back in time the data breach itself goes.
She also noted that individuals who had submitted SF-86 forms may be included in the data breach, but could not provide further specifics about the kind of information that had been breached in an unclassified setting.
Last week the Associated Press reported that, according to anonymous sources, the compromised records of these hacks may rise to nine to 14 million and date to the 1980s.
Tony Scott, the United States Chief Information Officer (CIO), noted in his committee testimony these kinds of cyber attacks will not diminish.
“I would like to start by highlighting a very important point of which you are probably already aware: both state and non-state actors who are well financed, highly motivated, are persistently attempting to breach both government and non-government systems. And these attempts are not going away. They will continue to accelerate on two dimensions: first, the attacks will continue to become more sophisticated, and secondly, as we remediate and strengthen our own practices, our detection capabilities will improve. That means that we have to be as nimble, as aggressive, and as well-resourced as those who are trying to break into our systems,” he said.
Michael Esser, Assistant Inspector General for Audits at OPM, said the office has a long history of failing to comply with information security requirements.
“OPM has a history of struggling to comply with FISMA (Federal Information Security Management Act) requirements. Although some areas have improved, such as the centralization of IT security responsibility within the OCIO (Office of the Chief information Officer), other problems persist. Again, of particular concern is the high number of IT systems that are currently operating without a valid authorization.”
“We acknowledge that OPM participates in multiple government-wide security programs. However, these programs are designed to complement, not replace, a comprehensive IT security program. It is critical that OPM take steps to secure its network from within, and our audit recommendations are designed to help them do so,” Esser said before the committee.
Archuleta highlighted that OPM found the breach because of increased cybersecurity efforts during her 18 months as head of OPM.
“I want to emphasize that cyber security issues that the government is facing is a problem that has been decades in the making, due to a lack of investment in federal IT systems and a lack of efforts in both the public and private sectors to secure our internet infrastructure. We discovered these intrusions because of our increased efforts in the last 18 months to improve cyber security at OPM, not despite them.”