House Oversight Chief Probes OPM Hack Timeline

The chairman of House Oversight and Government Reform Committee is probing the origins of the massive hack of federal employees’ background investigations files disclosed by Office of Personnel Management earlier this year.

OPM officials revealed in June and July two related hacks of federal computer networks: one affecting personnel files of about 4 million federal employees and another, far larger hack, affecting background investigation files of up to 22 million current and former federal employees and contractors.

In an Aug.18 letter to acting OPM Director Beth Cobert, Chaffetz, however, zeroed in on an earlier March 2014 cyberintrusion at the agency. That breach -- first reported by The New York Times last summer -- did not lead to the loss of any personally identifiable information, officials say. But hackers did make off with some security documents and manuals that could’ve provided a blueprint to OPM’s systems, officials told lawmakers during a series of congressional hearings this summer.

(Click here for a full timeline of the OPM hack)

In the letter, Chaffetz requested OPM officials turn over all internal OPM documents “referring or relating” to the agency’s discovery of the unauthorized access of the security manuals

Chaffetz, who requested a response by Sept. 1, said he wants specifics on the types of security documents taken by hackers as well as dates when the documents were first accessed and when they were exfiltrated from OPM’s network.

In addition, Chaffetz said he wants OPM to provide the names of the individuals -- presumably OPM employees -- who discovered the unauthorized access of the security documents as well as when the agency’s inspector general, DHS and the FBI were first notified.

Following that first March 2014 intrusion, OPM initiated a $20 million IT modernization plan to harden its cyber defenses, work that was already underway when the agency this spring discovered the more recent -- and far more devastating -- hacks of employees’ sensitive information.

In a separate Aug. 18 letter, Chaffetz sought details of OPM’s IT upgrade from one of the major contractors working on the project, Arlington, Virginia-based IT contractor Imperatis Corp.

In the letter to company CEO Mastin M. Robeson, Chaffetz requested all documents about the company’s role in OPM’s IT modernization plan as well as any documents detailing the company’s role in responding to the two data breaches announced by OPM earlier this year.

Last month, the Senate approved additional funding for OPM to bolster its cyber defenses. However, a “flash audit” released by the agency’s inspector general in June flagged the IT modernization plan for unreliable cost and schedule estimates.

Meanwhile, in a separate Aug. 19 letter to Ann Barron-DiCamillo, the director of DHS’ U.S. Computer Emergency Response Team, Chaffetz asked the agency to turn over DHS documents related to the hacks. That includes “malicious code or malicious logic that caused the breach and whether or not that malicious code or logic was known to the National Cybersecurity Protection System,” the official name for the DHS intrusion-detection system known as EINSTEIN.