The cyber-breach at the Office of Personnel Management uncovered in recent months was bad.
But how bad is a matter of dispute that has divided leaders at the Office of Personnel Management.
A brief dispute flared between senior officials from OPM and the FBI, laying bare a simmering behind-the-scenes debate over the handling of what U.S. officials say is the worst ever breach of U.S. government data. U.S. officials believe Chinese government hackers are to blame.
OPM Director Katherine Archuleta, responding to questions from senators, disputed a CNN report that that hackers may have compromised the personal information of as many as 18 million current, former and prospective government workers.
Archuleta suggested the number was inaccurate and that she didn’t know the source of the data, U.S. officials briefed on the Senate meeting said. She stuck by OPM’s initial estimate that 4.2 million people were affected.
That prompted James Trainor, acting assistant director for the FBI’s cyber division, to stand up and dispute Archuleta’s assertion.
FBI Director James Comey provided the 18 million estimate in an earlier briefing to a group of senators. It was based on an internal estimate prepared by OPM officials, CNN reported Monday.
Trainor wasn’t scheduled to speak at the Tuesday briefing, but told senators he felt compelled to defend Comey’s testimony.
He held up a copy of OPM’s own internal report that was the source of the 18 million figure.
OPM officials say the 18 million number is a raw estimate and that their investigation continues.
It was an unusual piece of drama in an otherwise dry briefing that left senators scratching their heads and doubting that OPM was up to the job of defending its computer networks even now.
“I have absolutely no confidence that this could not happen again tomorrow,” Sen. Susan Collins of Maine said after leaving the briefing, noting OPM was still grappling with the size of the breach.
“When they don’t even know the scope for certain, that doesn’t give me a lot of confidence.”
The brief dispute Tuesday illustrated the internal wrangling over the Obama administration’s response to the OPM hack.
In a public hearing on Wednesday, Archuleta took questions from lawmakers before the House Oversight Committee. As frustrations among lawmakers builds, some administration officials believe she won’t likely survive the growing calls for her to resign.
Archuleta told lawmakers that two different numbers exist for who was affected. The government has alerted the 4.2 million victims of one hack of personnel records, she said. But she declined to offer much information about whether the 18 million figure was a more accurate to encompass all those who were affected.
“It is a number I am not comfortable with at this time because it does not represent the total number of affected individuals,” Archuleta told the House panel.
The number, she said, was a “preliminary” estimate of Social Security numbers that were stolen. But she declined to provide more information, or a better idea of how many people were affected.
House Oversight Chairman Jason Chaffetz, R-Utah, blasted OPM in his opening statement Wednesday, and promised to drill down for answers.
“We’re in a situation here where a hurricane has come and gone and just now OPM is wanting to board up the windows,” Chaffetz said.
Chaffetz later said that the number may actually encompass all current and former federal workers overseen by OPM, a total of 32 million people. But he posed that number as part of questioning and Archuleta was steadfast in saying she would not talk about that number.
Archuleta and other OPM officials have pinballed between Capitol Hill hearings and briefings ever since the expansive data breach was first exposed.
Some investigators believe the administration has been slow to acknowledge the severity of the breach, leading to a drip-drip of negative headlines and hampering the ability of citizens affected to do what they have to protect themselves.
But the critics also acknowledge that OPM is dealing with an unprecedented breach that officials still don’t fully understand.
The hackers accessed separate databases that house personnel records and those that contain sensitive data from security clearance records — known as SF86 forms, OPM has said.
The total number of records affected remains unknown — and may never be, OPM and its critics acknowledge.
That’s in part because suspected Chinese hackers managed to roam the OPM databases for a year before being detected, according to U.S. officials briefed on the investigation. Once inside OPM’s networks, hackers created high-level security credentials to give themselves complete access, the officials say. What they stole may never be fully assessed, the officials say.
Roots of the breach
The roots of the recent OPM breach could be traced to an earlier 2013 OPM breach, investigators now believe. At the time, OPM officials minimized what was taken by hackers, who are believed to be the same responsible for the latest breach. But it turned out what was taken provided blueprints to the OPM network, valuable information for future intruders.
At Wednesday’s House Oversight hearing, Donna Seymour, the agency’s chief information officer, said that in the 2013 breach, hackers took “some manuals about our systems.”
Asked if those manuals were akin to blueprints of OPM’s computer systems, Seymour answered, “It would be fair to say that would give you enough information that you could learn about the platform, the infrastructure of our system, yes.”
Seymour called it a breach of security.
But that contrasts with earlier statements by OPM officials.
In a 2014 interview with WJLA-TV in Washington about the 2013 breach, Archuleta minimized the damage.
“I can tell you the most important piece: No personal identification information was compromised,” she said. “That’s the most important thing. That happened because of the good work and dedication of our employees.”
About the 2013 breach, Archuleta added: “Again, we did not have a breach in security. There was no information that was lost. We were confident as we worked through this that we would be able to protect the data.”