The Hack That Took Down an Agency Director

Katherine Archuleta, the director of the Office of Personnel Management, resigned after the true extent of a massive federal cyberbreach was revealed.

FBI Director James Comey (Kevin Lamarque / Reuters)

Updated 7/10/15

One day after publicly defying calls to resign, Office of Personnel Management Director Katherine Archuleta announced that she would be leaving the government agency. On Thursday, an investigation revealed that hackers had stolen the sensitive data of over 21 million Americans in a devastating cyberbreach earlier this year.

Archuleta didn’t directly mention the scandal in her resignation statement, but the development is hardly unexpected given that the hacking episode is now understood to be far larger than when it was first reported last month. As recently as Thursday, Archuleta had support from the White House and some members of Congress, but as she spoke with reporters later in the day, a leading question was whether or not she planned to leave her post.

On Wednesday, computer glitches grounded thousands of United flights and suspended securities trading on the New York Stock Exchange, although neither failure is thought to have stemmed from “malicious activity.” Those meltdowns overshadowed Senate testimony about another major tech-related episode that was nefarious—the breach of the Office of Personnel Management (OPM), purportedly by China-linked hackers.

Although the breach was technically last month’s news, each  government statement has revealed that it was larger than previously disclosed. First, the breach was said to include the data of four million Americans. Then it grew to 14 million. And then to 18 million. On Thursday, the figure ballooned to over 21 million.

“The team has now concluded with high confidence that sensitive information, including the Social Security Numbers (SSNs) of 21.5 million individuals, was stolen from the background investigation databases,” the OPM announced.  “This includes 19.7 million individuals that applied for a background investigation, and 1.8 million non-applicants, predominantly spouses or co-habitants of applicants.”

Among those affected was FBI Director James Comey, who testified on Wednesday about the extent to which the “enormous” digital pilfering of the OPM’s trove of documents, including the sensitive SF-86, affects more than just government employees or contractors:

I’m sure the adversary has my SF-86 now. My SF-86 lists every place I’ve ever lived since I was 18, every foreign travel I’ve ever taken, all of my family, their addresses. So it’s not just my identity that’s affected. I’ve got siblings. I’ve got five kids. All of that is in there.

Comey’s testimony suggests that even this latest figure—21 million—may not come close to capturing the full scope of the breach. That count would have captured Comey himself, but apparently would not have included his children, siblings, or other relatives whose personal information was also disclosed, so long as their SSNs were not in the database. Including that broader category of individuals in the count would, presumably, expand it exponentially.

The breach reveals a downside of 21st-Century efficiency. Federal employees who applied for security clearances prior to 1999 were substantially less likely to be affected than those who applied after 2000.

On Wednesday, the the National Treasury Employees Union became the second major union of federal workers to sue the federal government over the breach. According to The Hill, the NTEU alleges that the OPM’s “failure to properly heed warnings about major security failures in its networks was unconstitutional.”

The lawsuit, as described by the union’s national president, is “the best way to force OPM to take immediate steps to safeguard personnel data, prevent such attacks in the future.”

Stopping future attacks is crucial, but first, the full contours of this most-recent episode are only starting to be grasped. In a conference call on Thursday afternoon, a National Security Council representative refused to publicly say who was behind the attack. On the same call, Katherine Archuleta, the director of the Office of Personnel Management, added that there was “no evidence” that information taken had been used. (She also told reporters that she would not resign her post.)

Despite making efforts to allay fears, the OPM press release on Thursday offered an assessment that the records stolen by hackers included approximately 1.1 million sets of fingerprints as well as “findings from interviews conducted by background investigators.” And the slowly unfolding pace of such disclosures offers little reason to believe that the full extent of the damage has now been revealed.