Following recent news of two data breaches at the Office of Personnel Management (OPM), which affected the sensitive information of up to 14 million past and present federal workers, Congress has inevitably taken the OPM’s director to task.
Katherine Archuleta, who has led the OPM since 2013, was grilled by a congressional hearing headed by Republican representative Jason Chaffetz, who blamed her personally for the OPM’s poor security, telling her she had “completely and utterly failed”.
Asked if the figure of 14 million was accurate, Ms Archuleta was reluctant to reveal information about the extent of the incident, repeatedly telling the chair of the House Committee on Oversight and Government Reform that she’d be “glad to discuss that in a classified setting”, but admitted that at least 4.2 million federal employees were affected.
The committee heard that the inspector general had warned about security failings at OPM since 2007 and that he had recommended last year that OPM’s systems be shut down because they were vulnerable – not least because the information they held was unencrypted – and Ms Archuleta ignored this recommendation.
Asked why the information was not encrypted, Ms Archuleta told the committee that legacy systems – some of which date back to 1985 – were to blame for the breaches, and that implementing encryption was unfeasible because they were too old.
Mr Chaffetz didn’t think this a reasonable explanation. “You failed, OK?” He told her. “You failed utterly and totally.”
C-SPAN – the public service broadcaster that televises US political events, including coverage of House and Senate proceedings – has a video of the hearing here.
Keeping your systems up to date is essential to rebuffing cyber attacks. If you’re concerned about your organization’s susceptibility to attack, we recommend penetration testing your networks and web apps.
As a CREST member company, IT Governance has been verified by an independent body attesting that our work will be carried out to a high standard by qualified and knowledgeable individuals. Our Web Application Penetration Test combines a number of advanced manual tests with automated vulnerability scans to ensure that your web applications are secure against attack.