House Oversight Chairman Jason Chaffetz on Wednesday accused the chief of the Office of Personnel Management of lying about the extent of a prior cyberattack waged against her agency.
In a contentious back and forth exchange, Chaffetz said OPM Director Katherine Archuleta was dishonest about an intrusion revealed in March 2014 that occurred on the office's networks. Citing a TV interview she gave after the attack was disclosed, Chaffetz suggested she had been misleading about its impact when she said that information had not been compromised.
"When we rewind the tape … you said, again, 'We did not have a breach of security. There was no information that was lost,'" Chaffetz said. "That was false, wasn't it?"
Moments before, Donna Seymour, OPM's chief information officer, had acknowledged that some information was exposed during that hack, but that it was limited to "outdated security documents" and other manuals related to how the OPM operates.
But Archuleta said the quote was being misinterpreted, arguing that she was referring only to personally identifiable information and not other files held by OPM.
"No you weren't—that wasn't the question," Chaffetz shot back.
"It was misleading, it was a lie, and it wasn't true," Chaffetz said. "And when this plays out, we're going to find out that this was the step that allowed them to come back and why we're in this mess today."
Wednesday's hearing is the second in as many weeks before the House Oversight Committee for Archuleta, whose agency has been under siege since it disclosed earlier this month two massive thefts of data, both of which China is believed to be responsible for.
Chaffetz and a handful of other lawmakers—both Democrats and Republicans—have called for Archuleta's resignation on grounds that she ignored warning signs about the cyber vulnerabilities of OPM's servers.
Archuleta said at the outset of the hearing that she wanted to correct media reports that as many as 18 million individuals may have been affected by the recent hacks on federal employee data and security-clearance information. The first breach is still believed to have hit about 4 million people, Archuleta said, adding that investigators were still determining the scope of the second intrusion.
The 18 million figure, reported earlier this week by CNN, "is a number I am not comfortable with," Archuleta said. "It is my understanding that the 18 million refers to a preliminary, unverified and approximate number of unique social security numbers in the background investigation data,"
Chaffetz, however, suggested that OPM holds data on as many as 32 million people who could be vulnerable—a number he took from a February budget request from Archuleta.
"I'm not going to give you a number I am unsure of," Archuleta said.
Archuleta did earn some defense from Rep. Gerry Connolly, a Virginia Democrat who castigated some of his colleagues for focusing too much on the blame game.
"To pretend that this is Miss Archuleta's fault is to miss the picture and really do a disservice to our country," Connolly said, adding that the U.S. is engaged in "a new Cold War with certain adversaries, including China and Russia."
Earlier Wednesday, OPM released a "cybersecurity action report" that announced the ongoing rollout of a series of additional security measures, including the hiring by August 1 of a "leading cybersecurity expert from outside government" who will report to Archuleta. The report also vowed expanded cooperation with the Department of Homeland Security and said OPM would require, also by August 1, all employees to use a smart card to log on to its computers.
This story is breaking and will be updated.