The Office of Personnel Management has heard the complaints loud and clear about the customer service from Winvale and CSID, the companies providing credit monitoring services after the 4 million person federal data breach.
OPM Director Katherine Archuleta told Senate lawmakers Tuesday she is doing everything she can to ensure current and former federal employees are getting timely responses to their questions about the massive data breach.
During a Senate Appropriations Subcommittee on Financial Services and General Government hearing, Archuleta said she believes CSID is highly qualified, pointing to the fact that the company handled the Sony breach notification.
But at the same time, Archuleta said she’s frustrated and angry about the delays and problems federal employees and retirees have experienced over the last week.
“I want to be sure they are doing everything they can to reduce those wait times so that’s why I’ve instructed my CIO and her team to work with that contractor to improve daily the services they are giving to our employees,” she said. “Our employees should not have to experience that and that’s why we are demanding from our contractor that they improve their services. I do believe, sir, because of the conflation of two incidents that we’ve had a high number of phone calls. But that’s not an excuse. Our contractor should be able to perform to that number and we are demanding that it do so.”
OPM’s decision to hire Winvale and its subcontractor CSID came under scrutiny by lawmakers and procurement experts after questions arose about the contract award process.
Now those concerns are getting louder as CSID struggles to keep up with the demand. Sen. Mark Warner (D-Va.), the American Federation of Government Employees and the National Treasury Employees Union sent letters or publicly called on OPM to do something about the customer services problems. Warner, AFGE and NTEU all have heard from constituents and
members complaining about long wait times on the phone, website crashes and notification letters sent to the wrong address.
Gathering data for second breach notification process
To that end, Archuleta said OPM is reviewing its processes and procedures, and trying to learn from the first breach impacting 4 million current and former feds as it prepares the breach notification for what some media outlets have reported to be as many as 18 million people.
While Archuleta wouldn’t confirm how many people are impacted by the second breach, she said OPM is examining a range of options and talking to the Chief Human Capital Officer’s Council, and employee groups and unions to improve how they send out notifications and provide services to those impacted by the second breach.
While she didn’t offer any details on what that broad range of options includes, lawmakers, unions and even some agencies were unhappy that OPM told employees to an unfamiliar dot-com site and the email didn’t come from a dot-gov address, but a dot-com address.
Archuleta also said the entire process of offering credit monitoring for 18 months, sending out emails and Postal Service notifications for the first 4 million affected current and former feds is costing the agency between $19 million and $21 million. OPM awarded CSID a contract worth about $21 million.
The Senate subcommittee hearing was the first of three scheduled this week on Capitol Hill about the OPM cyber breach.
Archuleta and her staff also will face a second round of questioning by the House Oversight and Government Reform Committee Wednesday. Then on Thursday, the Senate Homeland Security and Governmental Affairs Committee will have their turn to ask about the breach.
Five cyber attacks in less than a year
In the meantime, a few drips and drabs continue to come out about the breach through lawmakers’ questions.
The newest information on Tuesday builds on something exposed last week about
how the hackers got into OPM’s network and why data encryption wouldn’t have
Archuleta offered a bit more detail about how the hackers got into the OPM and Interior data center.
“I want to be very clear that while the adversary leveraged a compromised KeyPoint user credential to gain access to OPM’s network, we don’t have any evidence that would suggest KeyPoint as a company was responsible or directly involved in the intrusion. We have not identified a pattern or a material deficiency that resulted in the compromise of the credential,” she said. “Since last year, we have been working with KeyPoint and they have taken strides in securing its network, and have been proactive in meeting the additional security controls that we have asked them to use to protect all of the background data.”
At the last hearing, the Homeland Security Department detailed that it was the contractor breach that likely gave the hackers the keys to the network.
OPM has been a target of hackers for much of the past year.
OPM suffered three attacks in 2014, starting in March when the agency discovered the first attempted cyber attack. OPM says it found hacker activity, but no personal data was lost.
Then USIS, the security clearance contractor suffered a breach in June 2014, impacting about 25,000 DHS and other employees. Then in August 2014, KeyPoint, also a security clearance contractor, suffered a breach, affecting about 48,000 federal employees.
KeyPoint was involved in another large federal data breach recently detailed.
DHS is sharing more information KeyPoint breach impacting 390,000 current and former employees.
DHS began sending notices about this separate breach in June, but in an email to employees, which was obtained by Federal News Radio, DHS says the breach impacted mostly workers at Customs and Border Protection, Immigration and Customs Enforcement and the Transportation Security Administration.
DHS highlighted this was a separate breach from the OPM problems and current and former employees are being notified by the Postal Service.
DHS spokesman S.Y. Lee said DHS learned of the intrusion in September 2014 while conducting an assessment of KeyPoint’s network and immediately stopped the flow of information and put other mandatory safeguards in place.
Lee added it’s unclear whether any employee information was exposed because of the breach, but DHS is offering credit monitoring as a precaution.
Not all OPM systems were old.
While KeyPoint seems to account for some of the problems, the Senate hearing also pushed some of the blame back to OPM’s lack of cyber oversight.
At the last hearing, Archuleta and OPM CIO Donna Seymour told House lawmakers the agency’s technology was too old to easily use new cyber technologies.
But Michael Esser, the assistant IG for audits, told Senate lawmakers that OPM can’t entirely blame its legacy systems.
“There are many legacy systems at OPM. I don’t want to give the wrong impression. That’s a fact,” Esser said. “But based on the work we’ve done in our audits and on ongoing work that we are doing, it’s our understanding that a few of the systems that were breached are not legacy systems. They are modern systems that current tools could be implemented on.”
OPM spokesman Sam Schumach pushed back against the IG’s claims that some of the systems could’ve handled modern cyber technologies.
“While there were a few systems affected that were not necessarily legacy systems, the applications behind them were still outdated and could not handle the encryption and other advanced protections,” Schumach wrote in an email to the press after the hearing.
Sen. John Boozman (R-Ark.) said the fact that these legacy systems could’ve been upgraded but weren’t is a management problem that OPM needs to fix.
While Boozman said it was too early to call for Archuleta to resign, he was keen on learning more about the hack during a classified session on the breach held Tuesday afternoon.