Fox News: Fox News has learned that the number of victims of a pair of massive cyberattacks on U.S. government personnel files has soared to at least 18 million — but the head of the hacked Office of Personnel Management refuses to blame anyone in her agency.
“I don’t believe anyone is personally responsible,” OPM Director Katherine Archuleta said Tuesday.
The statement came during tense Capitol Hill testimony on a breach that seems to be growing wider by the day. Archuleta, who faced tough questioning at a House hearing last week, likewise faced angry senators on Tuesday before a Senate appropriations subcommittee.
Grilled on whether anyone takes responsibility, Archuleta said only the perpetrators should be blamed — she said current failures result from decades of meager investment in security systems, but said changes are being made and in fact helped detect the latest breaches.
Still, the assurances are unlikely to ease concerns on Capitol Hill and among those who may have been affected. The web has expanded to include not just current and former government workers, but also those who may have applied for a government job.
The Office of Personnel Management initially estimated about 4 million current and former government workers were affected by one of the hacks. But Fox News is told by multiple sources that lawmakers have been informed the number will grow to at least 18 million — and could, according to one source, soar to as high as 30 million.
During the Senate committee hearing on Tuesday, Archuleta testified that a second hack indeed exposed more individuals, though she said its “scope” and “impact” have not yet been determined.
She said this separate incident has affected files related to background investigations for “current, former and prospective government employees.” Amid concerns that those affected have been left in the dark, Archuleta said the government would be notifying those whose information may have been compromised “as soon as practicable.”
Meanwhile, she said a hacker also gained access to the agency’s records with a credential used by a federal contractor. Archuleta told the Senate hearing on Tuesday that an “adversary” somehow obtained a user credential used by KeyPoint Government Solutions, a contractor based in Colorado. She didn’t say specifically when that occurred or if it was related to the two cyberbreaches being discussed.
It was reported earlier that officials, in the second hack, were concerned information may have been stolen from a document known as Standard Form 86, which requires applicants to fill out deeply personal information about mental illnesses, drug and alcohol use, past arrests and bankruptcies. They also require the listing of contacts and relatives, potentially exposing any foreign relatives of U.S. intelligence employees to coercion. Both the applicant’s Social Security number and that of his or her cohabitant is required.
Some officials have implicated China in at least one of the breaches. The new revelations and Tuesday’s hearing come during an awkwardly timed U.S.-China economic dialogue in Washington, where Secretary of State John Kerry is participating.
There are about 2.6 million executive branch civilians, so the majority of the records exposed relate to former employees. Contractor information also has been stolen, officials have said.
Earlier, a major union said it believes the hackers stole Social Security numbers, military records and veterans’ status information, addresses, birth dates, job and pay histories; health insurance, life insurance and pension information; and age, gender and race data.