The Office of Personnel Management data breaches that exposed sensitive information on at least 4.2 million current and former federal employees will cost the government at least $19 million, Katherine Archuleta, the agency's director, told a Congressional hearing Tuesday.
That money will pay for the massive undertaking to inform victims of the breach as well as cover credit monitoring services for each of them, Ms. Archuleta testified to a Senate Appropriations Committee panel. She said the office is still exploring whether to extend similar services to those tangentially effected in the breach, such as family members listed within the exposed files.
Tuesday's hearing marked the second congressional appearance for Archuleta since the breach and was one of a trio of hearings on the matter scheduled for this week. Indeed, many lawmakers have been quick to criticize Archuleta over the agency's network security practices and some have called for her resignation over the hack that exposed of vast amounts of sensitive personal information.
“I am as upset as [those affected] are about what happened and what these perpetrators have done with our data,” said Archuleta, who also confirmed that attackers gained access to the network with credentials stolen from security contractor KeyPoint in 2014.
As for placing blame, Archuleta said that no one at OPM is being singled out. “If there’s anyone to blame, it is the perpetrators. They’re concentrated, very well funded, [and have] focused, aggressive efforts to come into our systems."
That assessment did not seem to appease the committee, which said the incursion revealed a devastating gap when it comes to protecting government information and systems.
"The problem is something much greater than a lack of resources," said John Boozman (R) of Arkansas, chair of the Financial Services and General Government Subcommittee. What's more, he said, as a result of this breach and other recent hacks that have penetrated federal systems, "the American people have lost faith in their institutions."
When the security breach was first detected in April, OPM was in the midst of a $93 million security upgrade that would improve access controls and create a more centralized system for data management. It was during that process that the agency discovered the breach.
But, even at that cost, the upgrade falls short of actually transitioning the old system to the new operating platform, said Michael Esser, assistant inspector general for OPM. That would carry a "substantial" price tag. Without securing funding for the transition, Mr. Esser said, the agency will fall short of its goals.
Tuesday's hearing followed the White House's announcement last week that federal agencies must "sprint" to improve their cybersecurity, including by updating their software and applying patches.
During that time other federal agencies are likely to find "significant breaches," said Richard Spires, chief executive officer of the security firm Resilient Network Systems.
“What we need are [chief information officers] that have the authority to bring best practices,” Mr. Spires said, “and not to allow systems or practices to continue that jeopardize the security of our data and our systems. That has been the problem for decades.”