Lawmakers call for OPM director to resign amid data breach scandal

WASHINGTON—Lawmakers reprimanded the U.S. Office of Personnel Management (OPM) on Tuesday for lacking adequate security measures to prevent one of the largest cyber attacks in the nation’s history. Hackers stole personal information—Social Security numbers, birth dates, work history, and other private data—for more than 4 million federal employees.

“This may be the most devastating cyber-attack in our nation’s history,” said U.S. Rep. Jason Chaffetz, R-Utah, chairman of the Oversight and Government Reform Committee.

Katherine Archuleta, director of OPM, said some records potentially compromised dated to 1985 and could span the entire career of a government worker.

“You failed utterly and totally,” Chafetz said, while calling for Archuleta’s resignation. He stated her “gross negligence” as reason to find more competent leadership.

Three years ago, OPM’s inspector general, Michael Esser, warned Archuleta the system’s weaknesses could lead to a breach. But she didn’t make any changes, citing the system’s age as an impediment.

Chaffetz scolded Archuleta for not following the auditor’s recommendations: “The inspector general found that 11 of the 47 major information systems, or roughly 23 percent at OPM lacked proper security authorization, meaning that the security of 11 major systems was completely outdated and were unknown. They were in your office!”

Esser said many of the people running the agency’s information technology department have no IT background. OPM has not apologized or fired any employees for the agency's failure to pass numerous cyber security audits.

A second, confidential hearing took place on Tuesday afternoon for officials and federal employees to learn about repercussions of the breach. Officials are concerned the hackers, who likely are from China, may leverage the information for espionage purposes.

After downplaying the cyber attack for days, the Obama administration acknowledged on Friday the cyberspies obtained detailed background information on millions of military, intelligence, and other personnel who have been investigated for security clearance.

Applicants for security clearance are required to list drug use, criminal convictions, mental health issues, and the names and addresses of their foreign relatives.

The information is now available to the hackers, who may be selling the data online.

Experts say sales of the data may extend further than China, where the intelligence service could share the information with countries such as North Korea or Pakistan.

“The ‘friends and family’ dataset is ultimately the most useful for a hostile intelligence service,” said Richard Zahner, a retired lieutenant general and former top NSA official. Tie the information to what’s publicly available and other intelligence our enemies have already collected, “and you have insights that few services have ever achieved.”