The Office of Personnel Management updated congressional staffers Monday on the status of a review of its data-security systems, but continued to duck questions about the extent of a data breach that affected federal employees' sensitive background-check data, according to multiple Hill sources.
OPM and the Department of Homeland Security held a joint conference call with several congressional offices to brief them on the ongoing investigation into a pair of massive cyber-intrusions disclosed over the past month that officials privately have linked to China.
One congressional staffer said OPM stated on the call that it is planning to announce as soon as next week the size of a second breach of its servers, which exposed highly sensitive security-clearance information of intelligence and military personnel.
The agency pushed back against any suggestion that a definitive timeline was set for a new announcement, however. "We will make a public announcement when we have more details to share," OPM spokesman Samuel Schumach said when asked about the call. "I just don't know a specific date just yet."
OPM officials on the call said they had not yet reached a final determination about the scope of the second breach, according to multiple staffers, who would speak only on condition of anonymity given the sensitivity of the call.
The estimates for the total number of individuals affected by the data breach has increased in recent media reports. Last week, CNN reported that tally could be as high as 18 million, given that hackers had access to a database storing security-clearance forms, known as SF-86, which possess a multitude of personal information about family members and other close affiliates.
Officials used the call to discuss the agency's decision to suspend use of a Web-based system to fill out detailed background investigations, which it publicly announced Monday. That system has a security flaw that will take several weeks to fix, the agency said, but there is no evidence that the flaw was exploited.
The officials did not say how long the vulnerability had existed before it was discovered, or exactly what data was affected, according to one congressional staffer who was on the call.
OPM has consistently said 4.2 million former and current workers were affected by a first hack of federal employee data. In testimony last week, OPM Director Katherine Archuleta refused to give an estimate on how many employees were affected by what officials have described as a discrete second breach of far more sensitive security-clearance information. The refusal to provide a figure is because the investigation is ongoing, Archuleta said.
It is not yet clear whether the second set of notifications would be sent by the same contractor that was in charge of the first wave of emails and letters to the 4.2 million individuals whose data may have been affected by the earlier data breach at OPM.
That contractor, CSID, was criticized by lawmakers and federal employees for sending notifications by email that some assumed were another attempt to defraud them. Members of Congress have also cited complaints about long wait times—up to three hours—for calls placed to the contractor for help.
OPM paid CSID about $20 million for its notification services.