Breach Response , Cybersecurity , Data Breach

OPM Breach Fallout: What's Next?

Director Archuleta Stays Put as White House Weighs Response
OPM Breach Fallout: What's Next?
(Editor's Note: Katherine Archuleta resigned July 10 as director of the Office of Personnel Management. See the latest update for more information.)

What happens next for U.S. Office of Personnel Management data breach victims, the agency's beleaguered leadership, as well as the hackers responsible for the related attacks?

See Also: Disrupt Attack Campaigns with Network Traffic Security Analytics

In the wake of OPM announcing that it now believes that a total of more than 22 million individuals had their personal information exposed via two separate breaches, many lawmakers have intensified their calls for the agency's leadership to be jettisoned.

But the White House has continued to signal its support for OPM Director Katherine Archuleta, and it says it has not yet decided how to respond to the intrusion, which it has not yet publicly attributed to any person or nation. But multiple government officials have pointed a finger at Chinese hackers (see OPM Breach: China Is 'Leading Suspect').

Department of Homeland Security Director Jeh Johnson said that the government was weighing a "proportionate" response, while FBI Director James Comey has suggested that the government might bring charges against the hackers.

"We are continuing to look at all the different ways and all the different tools that we have to respond," White House cybersecurity coordinator Michael Daniel said during a July 9 press briefing.

Chinese government officials, however, have dismissed any suggestion that China was involved in the OPM breach. "We hope relevant parties of the U.S. side can stop making unfounded and hypothetical accusations and work constructively with China to address cybersecurity issues," Zhu Haiquan, spokesman for the Chinese Embassy in Washington, said July 9, The Wall Street Journal reports.

Breach Notifications

The White House officially announced July 9 that hackers appeared to have stolen every background-investigation form - SF86, SF85 and SF85P - filed with the U.S. government since 2000, if not before. That breach affects at least 19.7 million people who applied for a background investigation, plus 1.8 million non-applicants, predominantly including applicant's "spouses or co-habitants." Every one of their Social Security numbers was stolen, as were about 1.1 million of their fingerprints.

That theft is "separate but related" to the December 2014 hack attack that OPM first discovered in April, which the agency says exposed personnel data for 4.2 million individuals. Many, but not all, of those people were also victims of the background-investigation hack attack, OPM says.

Identity Theft Worries

For victims, OPM says it will offer three years of prepaid identity theft monitoring services via a third-party firm.

But that move downplays the potential long-term fallout for OPM breach victims, whose sensitive personal information - included on background-check investigations - has been exposed. Victims also face lifelong fraud concerns because their Social Security numbers were stolen. The U.S. government will replace Social Security numbers for free in the event that they get lost or stolen. But the Federal Trade Commission notes that many government agencies and others will still keep a record of the prior number, meaning it nearly impossible to make a fresh start.

Such concerns are at the heart of two lawsuits that have been filed by federal employees' unions against OPM and its directors, seeking court-ordered information security improvements at the agency, as well as greater breach transparency. The second such lawsuit, filed July 8 by the National Treasury Employees Union, which represents 150,000 employees, also demands that OPM provide free lifetime identity theft monitoring for victims.

OPM officials, however, have dismissed criticism that their response to the breach - and related notifications to victims - have been slow or incomplete. "Throughout this investigation, OPM has been committed to providing information in a timely, transparent and accurate manner," according to a July 9 statement issued by the agency.

Unanswered: Congressional Culpability

Capitol Hill, meanwhile, is playing a "should she stay or should she go" game over Archuleta, the OPM director. Many Republican lawmakers have for weeks been calling for Archuleta - a former Denver schoolteacher turned national political director for Obama's 2012 re-election campaign - and OPM CIO Donna Seymour to be removed.

But following OPM's July 9 announcement, politicians from both parties increased calls for Archuleta to be held accountable for the breach, and for her to step down. House Speaker John Boehner, R-Ohio, for one, called for President Obama to "take a strong stand against incompetence in his administration" and fire Archuleta.

Meanwhile, Sen. Mark Warner, D-Va., on July 9 also called for Archuleta to go. "The technological and security failures at the Office of Personnel Management predate this director's term, but Director Archuleta's slow and uneven response has not inspired confidence that she is the right person to manage OPM through this crisis," he said. "It is time for her to step down, and I strongly urge the administration to choose new management with proven abilities to address a crisis of this magnitude with an appropriate sense of urgency and accountability."

In the numerous hearings Congress has held following OPM's June 4 breach announcement, however, few lawmakers have asked if Congress might be culpable for fostering the information security situation that Archuleta inherited in November 2013.

"OPM has known about these vulnerabilities for years, but failed to address them," Michael Esser, OPM's assistant inspector general for audits, recently told the House Committee on Space, Science and Technology. Indeed, since 2009, OPM's inspector general has been issuing increasingly dire warnings over the state of the agency's information security posture (see Analysis: Why the OPM Breach Is So Bad).

Those reports get submitted both to OPM's leadership as well as Congress.

Criticism After e-QIP Security Upgrades

Congress also appears to have missed its cues after OPM suspended its Web-based Electronic Questionnaires for Investigations Processing, or e-QIP, online background-check application filing system June 30. Archuleta characterized the move as being a "proactive, temporary suspension" to fix vulnerabilities in the system that attackers could exploit (see OPM Suspends Background Check System).

Multiple lawmakers, instead of lauding OPM's move to patch vulnerable systems and safeguard employees' information, criticized OPM for taking e-QIP offline. "With the e-QIP system now reportedly down for at least four to six weeks, it will cause significant disruption to the process through which information is submitted to allow OPM to process security clearances," senators Warner and Tim Kaine, D-Va., wrote in a letter to Archuleta.

But their letter begs this question: Do they want a background-check system that is secure, or an insecure system that attackers could exploit to steal yet more data? Then again, some security experts, including Europol cybersecurity advisor Alan Woodward, have characterized OPM's e-QIP overhaul as being too little, too late.

Indeed, OPM auditor Esser said the shutdown was not a proactive move, but rather a delayed response to security flaws that had first been identified in September 2012, and which had been scheduled to be fixed by September 2013. That would have been two months before Archuleta began her tenure at OPM.


About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the Executive Editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, amongst other publications. He lives in Scotland.




Around the Network