Inside courtroom College protests Start the day smarter ☀️ Bird colors explained
WASHINGTON
Mental Health

House oversight chairman to OPM chief: 'It's time for you to go'

Erin Kelly
USA TODAY
House Oversight and Government Reform Committee Chairman Jason Chaffetz, R-Utah, speaks on Capitol Hill on June 24, 2015.

WASHINGTON — The chairman of the House oversight committee told Office of Personnel Management Director Katherine Archuleta that "it's time for you to go" at a Wednesday hearing held in the wake of two massive cyber attacks that compromised the data of millions of federal workers.

Chairman Jason Chaffetz, R-Utah, also raised the possibility that the data breach may have involved the records of up to 32 million workers. Archuleta has so far confirmed that at least 4.2 million employees were affected by the first hack but has said investigators are still trying to determine how many were hit in the second.

"I think you are part of the problem," Chaffetz told Archuleta at a four-hour hearing. "I think it's time for you to go."

Archuleta, who began her job at OPM about 18 months ago, has been under fire since the damaging hacks were revealed earlier this month after being discovered by OPM in April. The attacks occurred in late 2014 and early 2015.

Archuleta did not get a chance to respond directly to Chaffetz' comments, but she said earlier in the hearing that she is "more committed than ever to serve" and wants to continue her work to modernize the agency's information technology systems, some of which are 30 years old.

Prep for the polls: See who is running for president and compare where they stand on key issues in our Voter Guide

She told a Senate appropriations subcommittee Tuesday that no one at OPM is personally to blame for the data breach. However, she told the House panel Wednesday that, "I hold all of us responsible. That's our job at OPM (to protect the data)."

Chaffetz pressed Archuleta on whether the cyber attack — believed to have been committed by Chinese hackers — may involve as many as 32 million records. He based that number on information in OPM's 2016 budget request, which says that the agency is the proprietor of personally identifiable information on 32 million federal employees and retirees.

"Are you here to tell me that information is all safe," Chaffetz asked. "Or is it potentially 32 million records here that are at play?"

Office of Personnel Management Director Katherine Archuleta testifies on Capitol Hill on June 24, 2015.

Archuleta said federal investigators are still reviewing the scope of the second breach, which compromised the data of current, former and prospective employees who filled out lengthy forms for jobs that require a security clearance. Applicants for those jobs must detail their mental health history, criminal records, drug and alcohol use, personal relationships, and financial data.

Recent news reports have suggested that the total number of people affected by the attacks may be 18 million. Archuleta on Wednesday called that number "a preliminary, unverified and approximate number."

"It is a number I am not comfortable with at this time because it does not represent the total number of affected individuals," she said.

When Chaffetz questioned her about whether the number could ultimately be as high as 32 million, Archuleta replied, "I'm not going to give you a number that I'm not sure of."

In addition to telling Archuleta to leave, Chaffetz told OPM's chief information officer, Donna Seymour, "you're in over your head."

"There's going to have to be a new team brought in," the congressman said.

Lawmakers also questioned top officials of two private contractors that OPM hired to conduct background checks of job applicants seeking work with the military, the CIA, the FBI and other law enforcement agencies.

Both current contractor KeyPoint Government Solutions and former contractor USIS were hacked last year, raising questions about whether cyber criminals could have entered OPM's system through its contractors.

KeyPoint CEO Eric Hess testified that there was no evidence that the attack against his company compromised any sensitive personal data despite OPM's notification of about 48,000 federal workers that their information may have been exposed.

"After an extensive analysis of this incursion, we found no evidence of the exfiltration of sensitive personal data," Hess said.

However, Hess confirmed what Archuleta had previously reported Tuesday: that the hackers who attacked OPM were able to access OPM's systems by stealing OPM credentials assigned to a KeyPoint employee.

"As Director Archuleta noted at a Senate hearing...there is no evidence suggesting that KeyPoint was responsible for or directly involved in the incursion," Hess said. "To be clear, the employee was working on OPM's systems, not KeyPoint's."

Rep. Matt Cartwright, D-Penn., said KeyPoint must bear part of the responsibility for the data breach since its employee's credentials were used.

"KeyPoint is responsible for the actions of its employees," he said.

Featured Weekly Ad