MELISSA BLOCK, HOST:
Gross negligence - that's essentially what members of a House committee said the Office of Personnel Management is guilty of. The OPM says that hackers managed to break into its computer systems and steal the data of some 4 million current and former federal employees. But sources tell NPR many more people have been affected - more than 14 million. There are questions about whether the government is doing enough to prevent future break-ins as NPR's Brian Naylor reports.
BRIAN NAYLOR, BYLINE: OPM Director Katherine Archuleta came under attack from Republicans and Democrats for her agency's handling of the breach that hit the computers where the personal information of most federal employees is kept. House Oversight Committee chairman Jason Chaffetz, a Utah Republican, said the inspector general's office has said earlier that OPM's computer security was so bad, some of the systems should be shut down.
(SOUNDBITE OF ARCHIVED RECORDING)
JASON CHAFFETZ: Your systems were vulnerable. The data was not encrypted. It could be compromised. They were right last year. They recommended it was so bad that you shut it down, and you didn't. And I want to know why.
NAYLOR: Archuleta said some of the OPM computers were too old to handle encryption and that shutting down the systems would've created payroll and benefit problems. The OPM director did confirm that a second breach, revealed Friday, included records of people who had undergone background checks to qualify for federal jobs.
(SOUNDBITE OF ARCHIVED RECORDING)
KATHERINE ARCHULETA: There is a high degree of confidence that systems related to background investigations of current, former and prospective federal government employees and those for whom a federal background investigation was conducted may have been exfiltrated.
NAYLOR: But Archuleta would not say publicly whether those whose data was stolen included government contractors, military personnel or CIA agents. Nor would she say how many additional people were impacted. Some sources have put the number in excess of 14 million people. Officials did confirm that the data includes personnel records that, for some long-term employees, go back decades. Also testifying today was the U.S. chief information officer, Tony Scott. He told the panel that because of the age of some of the government computer systems, patching the holes was difficult.
(SOUNDBITE OF ARCHIVED RECORDING)
TONY SCOTT: In some cases, very, very hard to sort of duct tape and Band-Aid things around these systems. It doesn't mean there's nothing you can do, but fundamentally, it's, you know, old architectures that need to be replaced.
NAYLOR: Scott has ordered government agencies conduct what he's calling a 30-day cybersecurity sprint to patch vulnerabilities, immediately report possible hacks and make access more difficult by requiring multiple forms of verification. James Lewis is a cybersecurity expert with the Center for Strategic and International Studies. Lewis says it sounds like a good idea, but...
JAMES LEWIS: You know, they've tried this before, and the problem is always follow-up. How do you make sure that people do it? And what do you do to them if they don't do it? So it's a nice set of ideas, but the question will be, 30 days from now, what happens to an agency that hasn't followed through?
NAYLOR: After today's hearing, Oversight Committee chairman Chaffetz, who early said the OPM director had utterly failed, called for Archuleta to step down. Brian Naylor, NPR News, Washington. Transcript provided by NPR, Copyright NPR.
