Contractor Linked to OPM Hack Says 'Not Responsible,' As Questions Persist

PHOTO: The Theodore Roosevelt Building in Washington, headquarters of the Office of Personnel Management, is seen on June 19, 2015.Mike Levine
The Theodore Roosevelt Building in Washington, headquarters of the Office of Personnel Management, is seen on June 19, 2015.

The head of a government contractor linked to the massive theft of sensitive government records insisted today his firm is not "in any way responsible," even as he conceded the investigation is still underway.

"There is absolutely no evidence that [my company] was responsible for that breach" into U.S. Office of Personnel Management systems, said Eric Hess, CEO of KeyPoint Government Solutions, one of the primary providers of background checks for the U.S. government.

Hess, however, acknowledged a KeyPoint employee's log-in "credentials" were stolen, ultimately giving hackers "access to OPM" – and the personal information of tens of millions of Americans.

"We do not actually know how the employee's credentials were compromised," Hess said after being pressed by Rep. Matt Cartwright, D-Pennsylvania, at a hearing of the House Oversight and Government Reform Committee.

Sources familiar with the government's response to the OPM hack said investigators are still looking into whether the theft of the KeyPoint employee's credentials has any link to a broader cyber-attack against KeyPoint detected last year.

Hess, though, said the stolen credentials only "happened to" come from someone who worked for KeyPoint. In response, Cartwright accused Hess of "denying accountability for the OPM hack."

"It wasn’t a coincidence that this KeyPoint employee had OPM credentials, it was part and parcel to his or her scope of employment with your company," Cartwright admonished Hess. "Your company exists because of the largess of the United States federal government."

ABC News first reported more than a week ago that authorities suspected hackers may have extracted electronic credentials or other information from within KeyPoint's systems and somehow used them to unlock OPM's systems.

In today’s hearing, OPM Director Katherine Archuleta and OPM Inspector General Patrick McFarland – who have often sparred in the wake of the OPM hack – both said there's no reason for federal agencies to stop working with KeyPoint, which has taken substantial steps to further protect its own systems.

Meanwhile, Archuleta and her agency's chief information officer, Donna Seymour, faced bipartisan frustration today over OPM's own failure to implement tougher safeguards in the run-up to the cyber-attack.

In addition, Seymour said a breach of OPM systems in 2013 may have let hackers "learn about the platform, the infrastructure of our system."

And lawmakers from both sides of the aisle raised concerns over OPM’s response to the most recent hack once it was first detected in April, particularly questioning efforts to protect those potentially affected and to inform the public about the hack's likely scope.

Archuleta acknowledged at least 18 million people may have had their Social Security numbers compromised, and the number of Americans whose personal information was stolen "may well increase."

ABC News has been reporting for weeks that friends, relatives and associates of those who had background checks conducted by the federal government could be among the victims of the OPM hack.

Nevertheless, Archuleta made clear that in the wake of the hack, her agency "has taken steps to ensure that greater restrictions are in place," including hiring a new cyber-security adviser and removing remote access for certain users of OPM's computer systems.

She rebuffed suggestions she step down as director of an agency that acts as the federal government's human resources division.

"I am more committed than ever to serving the employees of this administration," Archuleta vowed, saying she has "fulfilled" her responsibilities as OPM director by, among other things, "seeking the resources we need to do our work."

She suggested, as she has at previous hearings, that she inherited an aging "legacy system" whose cyber-security has been neglected for decades.

Comments