Follows two data hacks exposing personal information of close to 25 million
Jul 09 2015
WASHINGTON – U.S. Sen. Mark R. Warner (D-VA), a member of the Senate Select Committee on Intelligence, released the following statement:
“The technological and security failures at the Office of Personnel Management predate this director’s term, but Director Archuleta’s slow and uneven response has not inspired confidence that she is the right person to manage OPM through this crisis. It is time for her to step down, and I strongly urge the administration to choose new management with proven abilities to address a crisis of this magnitude with an appropriate sense of urgency and accountability.”
The Office of Personnel Management announced today that, in addition to the previously announced breach affecting the personnel data of 4.2 million individuals, a second, separate theft affecting background investigation records has compromised the personal data, including Social Security Numbers (SSNs), of 21.5 million current and former employees, contractors, and their families and friends. This number includes 19.7 million individuals that applied for a background investigation, and 1.8 million non-applicants, predominantly spouses or co-habitants of applicants. In addition to personal information like names, addresses, and SSNs, the breached data includes answers to questions about sensitive information such as personal finances, past drug use and contact with foreigners.
Sen. Warner, acknowledging that the agency has long faced serious challenges when it comes to IT and cybersecurity management, stressed that today’s call for the Director to step down was not a result of the two breaches, but rather the Director’s inadequate response.
“As the FBI Director told the Intelligence Committee yesterday, this is a ‘huge deal’ and represents a treasure trove of information for potential adversaries. This is a serious problem that isn’t limited to government, as we’ve already seen with recent breaches involving Anthem, CareFirst, Target, and Home Depot,” added Sen. Warner, who is currently preparing to introduce data breach legislation that would create a comprehensive, nationwide and uniform data breach standard requiring timely consumer notification for breaches of financial data and other sensitive information. “Both the private and public sector need to be better prepared for an increasing number of these cyberattacks.”
Following the breach, Sen. Warner joined fellow Intelligence Committee member Sen. Angus King (I-ME) in calling on Senate appropriators to increase funding for cybersecurity upgrades at OPM, noting that “it is abundantly clear that technology and cyberattackers evolve in real time and the federal government needs more resources and budget certainty to keep their infrastructure current and strong.”
One week later, on June 17, the same day that Director Archuleta testified before Congress that a proposed $91 million IT systems upgrade would better protect OPM’s network against similar intrusions in the future, the OPM Office of the Inspector General (OIG) issued a “flash audit alert” raising serious concerns with OPM leadership about its handling of the overhaul. According to the OIG, “There is a high risk that this project will fail to meet the objectives of providing a secure operating environment for OPM systems and applications.” Moreover, according to the alert, OPM “initiated this project without a complete understanding of the scope of OPM’ s existing technical infrastructure or the scale and costs of the effort required to migrate it to the new environment… In our opinion, the project management approach for this major infrastructure overhaul is entirely inadequate, and introduces a very high risk of project failure.” The OIG also questioned OPM’s timeline for the upgrade, calling it “overly optimistic,” and predicting “that the agency is highly unlikely to meet [its] target.”
Last week, Sen. Warner and Sen. Tim Kaine (D-VA) pressed Director Archuleta for clear details on how the agency plans to address the government security clearance processing backlog after OPM identified a vulnerability in the e-QIP web-based platform that is used to complete and submit background investigation forms, which resulted in taking the system offline for four to six weeks. While OPM has publicly announced that the agency will temporarily make use of paper-based, hard-copy security clearances in the interim, the agency has yet to provide a full response to Sens. Warner and Kaine regarding their concerns about the overall integrity of the e-QIP system, or address how OPM plans to handle the workload overflow that will be triggered by the system shutdown.
Sen. Warner also wrote to the OPM Director on June 19 to raise concerns about the performance of the contractor OPM hired to provide credit monitoring services and identity theft protection for hack victims, highlighting hours-long wait times and inaccurate data reported by his constituents that call into question the contractor’s ability to appropriately protect them from fraud and identity theft. In the letter, Sen. Warner also questioned the procurement process used to award the contract, given that the solicitation was open for an unusually short 36-hour period. OPM has yet to provide a response to Sen. Warner’s letter.
On June 12, Sen. Warner led his colleagues from Virginia and Maryland in calling on OPM to do more to protect federal employees whose personal information was compromised as a result of the massive breach and questioned why OPM did not encrypt the SSNs of federal employees, a common practice that provides an additional layer of protection for workers’ personal information. OPM’s response to the Senators’ June 12 letter is available here.
Today, the Senators from Virginia and Maryland introduced the RECOVER Act (Reducing the Effects of the Cyberattack on OPM Victims Emergency Response Act of 2015) to require expanded identity theft coverage for federal workers, contractors and other individuals affected by these breaches, including lifetime credit monitoring and at least $5 million of insurance coverage for identity theft.
In addition, Sen. Warner has called on the Internal Revenue Service (IRS) to work with OPM to protect federal employees and others from tax-related identity theft.
Sen. Warner plans to introduce legislation to ensure that federal agencies have robust standards for cybersecurity and that those standards are strictly enforced across the government.
Sen. Warner, a former technology executive and Virginia governor, has also pressed OPM to resolve the technological issues that have led to enormous backlogs in processing retirement applications and resulted in months-long delays for federal retirees to receive the benefits they have earned.