How Hackers Unlocked OPM Systems and 6 Other Things We Learned about the Breach

Office of Personnel Management chief Katherine Archuleta wants you to know she is mad about the breach of personal identification data and background investigations on millions of federal employees. Just don’t blame OPM, she said. The hack at Archuleta’s agency is not the fault of computer security staff or a contractor who lost key login data, she testified today.

Archuleta's newly expressed empathy with infuriated breach victims and the news that attackers used credentials from background check provider KeyPoint Government Solutions are just two of the revelations that came out of a Senate hearing Tuesday. The session was the first of four public congressional grillings this week on the handling of the OPM breach.

Today, we learned:

Archuleta Angry Over Wait Times at Call Center

"I am as angry as you are about" feds experiencing wait times of 90 minutes when they call OPM contractor CSID to obtain free identity theft protection, Archuleta told lawmakers. Members of Congress and government employees have been complaining about service delays, inaccurate credit histories and the security of information that CSID collects.

Archuleta said OPM Chief Information Officer Donna Seymour and her team are working with CSID to improve customer service.

How the OPM Hackers Got In

Data swiped from one of perhaps two security breaches at employee investigation firm KeyPoint was used to hop into OPM's systems.

"While the adversary leveraged a compromised KeyPoint user credential to gain access to OPM network, we don't have any evidence that would suggest that KeyPoint as a company was responsible or directly involved in the intrusion," Archuleta said. "We have not identified a pattern or material deficiency that resulted in the compromise of the credentials."

The government last December disclosed a breach at KeyPoint that exposed data on more than 48,000 federal employees. According to the AP, officials also discovered a different hack attack in September of that year.  

How OPM Will Contact Victims of Second Breach

Archuleta announced OPM is looking at how to notify family members whose biographies were listed in a compromised system containing investigative data on personnel vetted for security clearances.

"We are taking into consideration all of the individuals that were affected by this breach" related to background investigations, she said. The background check hack was discovered after OPM in April detected an incident that exposed ID data on 4.2 million current and former federal workers. Archuleta declined to estimate the number of national security personnel whose lifetime histories and other sensitive data was stolen during the separate but related penetration. According to CNN, the total victim count could rise to 18 million.

More Agency Hacks May be Detected

There is a high possibility more agency hacks will come to light, as a result of a White House-mandated governmentwide "30-day cybersecurity sprint” to test systems for vulnerabilities and patch security holes, among other safeguards.

"Given the situation we find ourselves in across most federal agencies, I would expect you to find significant breaches” during this period, testified Richard Spires, the former Department of Homeland Security chief information officer. The OPM assistant inspector general for audits agreed with Spires. Assistant IG Michael Esser added, "We've been seeing breach after breach this year," at health insurers, background investigation contractors and government agencies, "it would not surprise me to see more."

Auditors Have Concerns with OPM's IT Upgrade Plan

While it was known that OPM is undergoing an IT overhaul, "a flash audit" alert the OPM IG released Tuesday states the agency has not budgeted time or money for this venture.

"The current estimate for this project was approximately $93 million," Esser testified, but auditors later learned "that this cost estimate did not include the costs for migrating existing applications" to the new operating environment. An evaluation of the extent of the project is due next month. The agency anticipates a two-year timetable, according to the flash audit.

"It is difficult to see how the agency can estimate its timeline when it does not yet know the scope of the effort," the audit reports.

Some Breached Systems Weren't that Old

Some of the OPM systems penetrated by suspected Chinese spies were recently acquired and could have been outfitted with new security defenses, Esser said. OPM has claimed it was impossible to encrypt, or render indecipherable, plain text data the hackers extricated because its existing networks are too old.

"Based on the work that we've done in our audits and ongoing work that we're doing, it's our understanding that a few of the systems that were breached are not legacy systems," Esser said. "They are modern systems that current tools could be implemented on."

Archuleta: Blame the Perpetrators

The people who should be held accountable for the hack are not government officials, according to Archuleta.

"If there is anyone to blame it is the perpetrators," she said.

Among OPM staff and other IT security staff, "I don't believe anyone is personally responsible. I believe that we are working as hard as we can to protect the data of our employees because that is the most important thing that we can do. And I take it very seriously. I am angry as you are that this has happened to OPM."