As more and more information comes to light about two major data-breaches late last year, it is becoming apparent that the U.S. Office of Personnel Management has been hemorrhaging data. The problem is both broader and deeper than had been reported and the trail of failure leads to the White House.
The cyber-attack, which was originally said to have compromised the data of "possibly millions," was later reported to have involved over four million people. Now U.S. officials are raising that number again. According to a report by the Washington Post, the data-breaches — which were carried out by the Chinese government — "exposed sensitive information about at least 22.1 million people, including not only federal employees and contractors but their families and friends."
The Office of Personnel Management (OPM) is the federal equivalent to a department of human resources. It keeps personnel files on all government employees and contractors. OPM also handles background checks for security clearances. So the data that was exfiltrated from its systems would include the names, dates of birth, Social Security numbers, addresses, previous addresses, clearances either held or applied for, known associates, and other identity information on government employees and their family members.
The Washington Post cited U.S. officials as saying these data-breaches "rank among the most potentially damaging cyber heists in U.S. government history because of the abundant detail in the files."
As FBI Director James Comey put it when he spoke with reporters, "It is a very big deal from a national security perspective and from a counterintelligence perspective. It's a treasure trove of information about everybody who has worked for, tried to work for, or works for the United States government."
This is the type of information that the U.S. government should guard with its life. Instead, the data systems of OPM were left in the hands of "unqualified information technology personnel," according to Michael Esser, OPM's assistant inspector general for audit. Esser testified before the House Oversight and Government Reform Committee last month that he had recommended in November that the OPM pull the plug on some networks due to security risks. OPM Director Katherine Archuleta declined to follow his recommendation and the breach (which had likely been going on for months) continued unabated until it was discovered in April of this year.
As damaging as the breaches themselves are, what is perhaps even worse is the lack of disclosure coming from Archuleta. Even as she was being excoriated by members of the House Oversight and Government Reform Committee who called for her resignation, she still did not disclose the fullness of the breach. Democrat Stephen Lynch said Archuleta did a better job keeping information from Congress that she did keeping it from hackers.
Even though members called for her resignation, she did not immediately resign. Only when this new information came to light did she step down. In an email to OPM staff, Archuleta confirmed her resignation: "I write to you this afternoon to share that earlier today, I offered and the President accepted my resignation as the Director of the U.S. Office of Personnel Management." She referred to her time as OPM director as "the highlight of my career."
It is possible that she did not deliberately mislead the congressional committee. Maybe she was so helplessly out of her depth that she was unaware of what data was stolen. In either case she was unfit for the post she held.
The burning question here is how someone so unqualified could be put in such a position of responsibility in the first place. What vetting process allows someone with little or no knowledge or experience related to securing data systems to land a job overseeing those systems? The answer seems to be that President Obama is more concerned with making and maintaining political appointments than he is with doing his job. Even after it was revealed that she had misled Congress about failing miserably at safeguarding the data systems at OPM, White House Press Secretary Josh Earnest said, "The president does have confidence that she's the right person for that job."