Why a Hack on Education Department Would Be Worse than the OPM Breach

The biggest hack on the federal government would pale against a breach of one department that houses tens of millions of Social Security numbers and other sensitive information but lacks even the most basic cyber defenses, according to a lawmaker.

Speaking at the American Enterprise Institute this morning, Rep. Jason Chaffetz, R-Utah, sounded the alarm about security weaknesses at the Education Department, which manages over $1 trillion in loans.

“The biggest vulnerability that I see out there right now: the Department of Education,” Chaffetz said. “If they don’t get their act together and their act together soon…”

» Get the best federal technology news and ideas delivered right to your inbox. Sign up here.

The Education Department came under scrutiny by the House Oversight and Government Reform Committee in February, when House Republicans questioned Education officials’ inability to protect a database with over 130 million Social Security numbers from cyberattacks. The actions of the department’s then-chief information officer, Danny Harris, were also examined closely. Weeks after that hearing, Harris stepped down.

“I think [Harris] understood he wasn’t doing his job and should never been in that position in the first place,” Chaffetz said.

“But there’s more information at the Department of Education than there is at the Office of Personnel Management,” he continued. “And that is my biggest fear. I still sweat about what’s happened at the Department of Education.”

Despite housing tens of millions of people’s sensitive information and 180-plus databases, the agency doesn’t "even have the most basic of tools” to protect them against breaches, Chaffetz said.

“If junior decides he wants to go to college ...  and he wants to get that Pell grant, he wants to get these other loans, guess what?” Chaffetz said. “He’s putting mom’s information in there, he’s putting dad’s information, he’s putting his brother’s information, he’s putting dad’s uncle’s information—credit union information, banking information, all of that is in one file and it’s housed at the Department of Education—and they do not have dual authentication and they do not have encryption.”

“I think it’s already happened; I have no proof of it,” he continued. “I’ve been warning this bell for a long time.”

Chaffetz’s remarks at AEI came in conjunction with the House oversight committee unveiling findings from a year-long investigation into the multiyear cyberspy campaign at OPM. The report concluded the hacks dated back to 2012 and were the result of poor security measures and inadequate action from OPM leadership, among other issues.