The federal agency that had more than 21 million Americans’ personal information stolen in a massive hack is once again in congressional cross-hairs — this time for improperly doling out taxpayer dollars to protect those Americans after the data breach.
The Office of Personnel Management’s inspector general released a report this month, made public Thursday, finding that the agency improperly handled its contract award to a company hired to protect the identities of the first 4 million federal employees affected by the breach, which has been blamed on China.
That spurred House Oversight Committee Chairman Jason Chaffetz to once again call for heads to roll — sending a letter to the White House demanding the firing of OPM’s chief information officer on Thursday.
“I write once again to augment my concerns that Ms. Donna Seymour, chief information officer for the Office of Personnel Management, is unfit to perform the significant duties for which she is responsible,” Chaffetz wrote in the letter. “It is troubling that yet another IG report has found that Ms. Seymour failed to effectively fulfill her duties.”
The director of OPM stepped down in the weeks following the hack’s discovery, but lawmakers have also called for Seymour’s resignation since revelations about the cyberattack.
OPM first announced that a cyberattack had compromised the personal files of more than 4 million current, former and prospective federal employees in June, and they immediately began offering identity protection services to those individuals through a company called CSID. The contract was worth nearly $21 million.
But that contract came under intense scrutiny after affected individuals complained of long wait times to sign up, website crashes and incomplete policies for the services — and the three-day turnaround on the contract solicitation raised flags.
When OPM announced it had determined a second breach compromised more than 21 million sensitive records, it did not use CSID for services, and engaged in a comprehensive contract solicitation before ultimately choosing a provider.
OPM’s IG said that initial agreement with CSID violated federal contracting regulations in five ways: OPM did not offer a complete scope of the work, conduced inadequate market research, had an incomplete acquisition plan, exceeded dollar limits on blanket agreements and had an unreliable contract file.
The agency agreed on nearly every point of the IG’s findings, and said it had put in place steps to correctly follow federal regulations in the future.
The IG has also repeatedly found deficiencies in OPM’s information security procedures, including warning about weaknesses before the attack. OPM is undertaking a project to upgrade its information technology.
President Barack Obama formally nominated acting Director Beth Cobert to be the new permanent director of OPM last month.