Fedweek

Many individual employees are expressing frustration over the lack of specifics from OPM regarding what information was taken and when. The federal unions, traditionally an ally of the administration, have become increasingly vocal in their calls for more disclosure, and at the hearing members of Congress of both parties pressed for more details—which OPM was largely unwilling to provide in a public setting. Officials did confirm, however, that they believe the personnel records were not only accessed but that the information in them actually was taken out; they would not say whether they believed that also was the case with the security clearance background records. Nor would officials say exactly which databases were hit, how many persons are directly or indirectly impacted by the hack of the security clearance application files, whether that universe includes personnel of intelligence agencies, contractors or the uniformed military, how far back the impacted records go, or other details. Committee members pointed out that the clearance application form at issue, the SF-86, asks for a wide range of highly personal information, including some—such as disclosures of arrests and alcohol or drug use—that could be used for blackmail purposes. Another criticism expressed at the hearing was that OPM had been warned repeatedly by IG audits about security vulnerabilities and had not responded enough by the time of the intrusions to prevent them—including failing to take even basic steps such as encrypting Social Security numbers. OPM officials said they have been working on those weaknesses and blamed the time it takes to upgrade or replace what they called badly outdated systems—some of which they said cannot handle today’s best security practices—and that encryption would not have helped in the type of breach that occurred.