OPM Chief 'Angry' Over Agency Hack, Details How Hackers Got In
The breach may have affected thousands of people.
— -- The director of the Office of Personnel Management insisted today that she's "as angry as" anyone that foreign hackers were able to break into her agency's computer systems last year -- a breach ABC News sources say potentially exposed the personal information of tens of millions of people.
“I'm doing everything I can to move as quickly as I can to protect the systems," Director Katherine Archuleta assured a Senate panel.
During the Senate hearing, Archuleta also confirmed previous ABC News reports describing how the hackers were able to enter OPM in the first place: They stole a "user credential" from a private contractor's employee who had been granted access to OPM’s systems, she said.
But Archuleta made clear KeyPoint did not intentionally play a role in the subsequent hack of OPM.
"While the adversary leveraged a compromised KeyPoint user credential to gain access to OPM's network, we don't have any evidence that would suggest that KeyPoint as a company was responsible or directly involved in the intrusion," she said.
The public will have its first opportunity to hear from KeyPoint when its CEO, Eric Hess, testifies at a House hearing on Wednesday. KeyPoint has repeatedly declined requests for comment.
Investigators are looking into whether cyber-attacks predating the KeyPoint incident, which was first detected in September, may be connected to the OPM breach, sources told ABC News.
At the hearing today, Archuleta became the first U.S. official to at least tacitly acknowledge publicly that – beyond the 4.2 million current and former federal workers already confirmed – multiples of millions more people could be impacted by the OPM breach.
She repeatedly insisted OPM’s “ongoing investigation” has yet to determine “the scope” of the hack, saying, “That's why I want to be careful to make sure the number I give to [the public] I'm confident about.”
But when Sen. Jerry Moran, R-Kansas, pressed her about the number of people who could have been impacted and the sheer number of files contained in all of OPM’s digital records, she said: "There are millions of files, sir. We are a data center, so there are millions of files.”
The question of scope now focuses on files associated with background investigations, including forms known as SF-86s. There are “a number of different names” and other personal information in those files, Archuleta said.
“We're working to get that number," she added.
Nevertheless, an early OPM memo described to ABC News shows how federal officials have for months feared a vastly bigger universe of victims than what has officially been acknowledged so far.
The memo warned the hack of a certain OPM system alone meant 18 million Americans could have had their Social Security numbers or other personal information stolen, and tens of millions more may have been affected by the breach of other systems, according to sources familiar with the June 4 assessment.
One source close to the investigation said the memo contained “very raw numbers,” and investigators are still conducting “many forensic steps” to determine whether so many people actually had their personal information stolen.
Hackers had access to far more than the personnel records tied to the often-cited number of 4.2 million potential victims.
The hackers rummaged undetected through various OPM systems for more than a year – all part of a suspected cyber-campaign out of China to collect information on federal workers inside the United States and others around the world, sources told ABC News.
If SF-86 forms were stolen in their entirety, an “exponential amount of people” could be affected, including U.S. military, law enforcement, diplomatic and intelligence officials around the world, a source previously told ABC News.
The forms require applicants to provide personal information not only about themselves but also relatives, friends and “associates” spanning several years.
The forms ask applicants about past drug use, financial history, mental health history and personal relationships.
That type of information could be exploited to pressure or trick employees into further compromising their agencies, sources said.
The Senate Appropriations subcommittee hearing today repeatedly discussed a report last year by OPM’s inspector general outlining past failures by OPM to properly secure and test its cyber-security measures.
Only a few of the inspector general’s 29 recommendations for improvement have since been implemented, and such “systemic failures … may have ultimately led to the breaches we are discussing today,” Michael Esser, OPM’s assistant inspector general for audits, told lawmakers.
But Archuleta scoffed at the notion that anyone was personally responsible for the breach.
"If there is anyone to blame, it is the perpetrators” who have been executing “concentrated, very well-funded, focused, aggressive efforts to come into our systems,” she said.
In addition, she inherited an agency whose cyber-security has been neglected for decades, Archuleta suggested during the hearing.
Richard Spires, the former Chief Information Officer at DHS and the Treasury Department, told lawmakers that, under Archuleta’s leadership, OPM is now doing “a number of things correctly" to protect its systems.