Price tag for OPM breach at least $19 million
The听Office of Personnel Management data breaches that exposed sensitive information on at least 4.2 million current and former federal employees will cost the government at least $19 million, Katherine Archuleta, the agency's director, told a Congressional hearing Tuesday.
That money will pay for the听massive undertaking to inform victims of the breach as well as cover credit monitoring services for each of them, Ms.听Archuleta testified to a Senate Appropriations Committee panel. She听said the office is still exploring whether to extend similar services to those tangentially effected in the breach, such as family members listed within the exposed files.听
Tuesday's hearing marked the second congressional appearance for听Archuleta since the breach and was听one of a trio of听hearings on the matter scheduled for this week. Indeed, many lawmakers have been quick to criticize Archuleta over the agency's network security practices and some听have called for her resignation over the hack that exposed of vast amounts of sensitive personal information.听
鈥淚 am as upset as [those affected] are about what happened and what these perpetrators have done with our data,鈥 said Archuleta, who also听confirmed that attackers gained access to the network with credentials stolen from security contractor KeyPoint in 2014.
As for placing blame, Archuleta said that no one at OPM is being singled out.听鈥淚f there鈥檚 anyone to blame, it is the perpetrators. They鈥檙e concentrated, very well funded, [and have] focused, aggressive efforts to come into our systems."
That assessment did not听seem to appease the committee, which said the incursion revealed a devastating gap when it comes to protecting government information and systems.听
"The problem is something much greater than a lack of resources," said听John Boozman (R) of Arkansas, chair of the Financial Services and General Government Subcommittee. What's more, he said, as a result of this breach and other recent hacks that have penetrated federal systems, "the American people have lost faith in their institutions."
When the security breach was first detected in April, OPM was in the midst of a $93 million security upgrade that would improve听access controls and create a more centralized system for data management. It was during that process that the agency discovered the breach.听
But, even at that cost, the upgrade falls short of actually transitioning the old system to the new operating platform, said听Michael Esser, assistant inspector general for OPM. That would carry a "substantial" price tag. Without securing funding for the transition, Mr. Esser said, the agency will fall short of its goals.听
Tuesday's hearing followed听the White House's announcement last week that federal agencies must "sprint" to improve their cybersecurity, including by updating their software and applying patches.听
During that time other federal agencies are likely to find听听"significant breaches," said听Richard Spires, chief executive officer of the security firm听Resilient Network Systems.
鈥淲hat we need are [chief information officers] that have the authority to bring best practices,鈥 Mr. Spires said, 鈥渁nd not to allow systems or practices to continue that jeopardize the security of our data and our systems. That has been the problem for decades.鈥
听
