The U.S. Office of Personnel Management let data on millions of people slip through its fingers, but is maintaining a stony silence when it comes to telling victims what’s going on.
OPM has so far offered a bare-bones response to federal workers, their union and members of Congress about a massive data breach that could affect up to 18 million people. That has left stakeholders guessing at how bad the breach is and what the government can really do to make it right, if anything.
OPM so far is in the process of informing the millions of people who are at greater risk of identity theft. But the agency is using a bland letter that is falling flat with the largest federal workers’ union, especially since almost no other information is available even after more than two weeks since it was announced.
“I am writing to inform you that the U.S. Office of Personnel Management recently became aware of a cybersecurity incident affecting its systems and data that may have exposed your personal information,” opens a variation of the letter that will go to everyone affected by the two huge data hacks announced this month.
“[V]ery little substantive information has been shared with us, despite the fact that we represent more than 670,000 federal employees in departments and agencies throughout the Executive branch,” J. David Cox, president of the American Federation of Government Employees, wrote OPM Director Katherine Archuleta on June 11.
“OPM has attempted to justify the withholding of information on the breach by claiming that the ongoing criminal investigation restricts your ability to inform us of exactly what happened, what vulnerabilities were exploited, who was responsible for the breach, and how damage to affected individuals will be compensated,” he continued.
Members of the House Oversight and Government Reform Committee were no happier last week when Archuleta testified before their panel. Citing the ongoing investigation, she wouldn’t say how many current, former and potential federal employees had their information accessed. Originally OPM said 4.2 million were affected but after making the second breach public, OPM has been mum about the exact figure.
Now, unnamed government officials are saying that FBI Director James Comey told senators behind closed doors last week that sensitive information on about 18 million Americans are in hackers’ hands.
“You’re doing a good job of stonewalling us — hackers, not so much,” Rep. Stephen Lynch, D-Mass., quipped at the House oversight panel hearing.
That lack of transparency has brought OPM criticism it could have avoided, experts said.
“You expect the government to lead by example and to have thought through all the various scenarios and how you would communicate” them, said Frank Cilluffo, director of George Washington University’s Center for Cyber and Homeland Security.
Not only were OPM officials unprepared to handle the fallout, they seemed to do “a lot of finger pointing, which came off as defensive,” added Cilluffo, who testified before the House Financial Services Committee last week about cybersecurity issues. “And once you start down that route, it’s hard to instill confidence in the future,” he said, adding that OPM, which has been hacked four times since March of 2014, should have been ready to handle the aftermath this time.
“You should be learning from experience,” he said. “Ideally, you learn from other people’s mistakes” but if that’s not option, one should “at least learn from your own.”
Tony Busseri, CEO of Route 1, Inc., a federal government IT security contractor, agreed that OPM was slow to react. “I don’t think they were as quick as they could’ve been with this,” he said.
Beyond their frustration with scant details and slow reporting, federal workers are also unhappy with OPM’s mitigation offerings.
OPM’s decision to outsource “the responsibility for answering affected employees’ questions adds insult to injury,” Cox complained in his letter. “The terms of the contract apparently do not include guaranteed access to a living, breathing human being knowledgeable enough to answer questions.”
Apparently, the Pentagon is not overly impressed with OPM’s performance either. According to the federal employees’ union, the Defense Department “has suspended email notifications to DoD employees regarding the data breach, after Defense officials raised concerns that the email could make employees vulnerable to phishing schemes,” the American Federation of Government Employees website states under its OPM breach “latest news” section.
“Please note: DoD has blocked access to this website from work computers until a more secure notification and response process has been established,” the notice continued.
