One lawmaker with a large federal constituency is less than pleased with how the Office of Personnel Management has responded to the two data breaches that may have compromised the personal information of up to 14 million former and current federal employees.
“As a senator from Virginia, where we have a disproportionate number of federal employees, I am not happy with OPM. I am not happy with the level and focus of the response,” Sen. Mark Warner (D-Va.) told Federal Drive with Tom Temin Tuesday morning. “Remember, this is the second hack. We saw a hack last year with subcontractor USIS. Now we see this hack that by day, by the week, the numbers continue go up in terms of the number of employees that were hacked. CNN’s now reporting 18 million employees hacked.”
Equally as troubling for the Virginia senator is how quickly OPM awarded Winvale and subcontractor CSID the contract to handle notifying federal employees affected by be the hack. Warner sent a letter to OPM Director Katherine Archuleta last week seeking answers about both the rationale for the contract award, as well as the performance of Winvale and its subcontractor CSID.
“The performance of the group is just awful,” Warner said. “We have constituents calling in saying they are waiting between an hour to two hours wait time on the phones to get an answer. The contractors are saying they’re beefing up their call center operations, but why in the heck didn’t they beef those before they got the contract?”
On Tuesday, Archuleta responded with a letter of her own. She reviewed the timeline of when her agency detected the breaches and began notifying affected individuals.
“As you know, OPM is currently responding to two separate cyber intrusions,” she wrote. “The first announced on June 4, 2015 and impacted personnel information of approximately 4.2 million current and former Federal employees. OPM is offering affected individuals credit monitoring services and identity theft insurance with CSID, a company that specializes in identity theft protection and fraud resolution, in order to mitigate the risk of fraud and identity theft. This comprehensive, 18-month membership includes credit report access, credit monitoring, identity theft insurance, and recovery services and is available immediately at no cost to affected individuals identified by OPM. Initial notifications to individuals affected by this incident were completed on June 19, 2015. However, OPM will continue to work with the vendor to identify alternative means to contact individuals for whom we have an invalid email and/or mailing address on file.”
The investigation of the second cyber breach is still continuing, Archuleta wrote, and the identity of the affected individuals has yet to be determined. For this reason, no notifications have been sent yet.
Archuleta’s letter did not address Warner’s questions about the quick awarding of the Winvale and CSID contract nor the long wait times his constituents are encountering when contacting CSID.
Archuleta is scheduled to give the full Senate a classified briefing of the second breach and OPM’s response to the hacks.
Warner has plenty of questions he’d like to see answered in the briefing. While some have called for Archuleta to resign over the breach, Warner doesn’t go quite that far.
“I think I owe her the ability to hear her side of the story, but I have not been impressed with the level of response, the quality of the response, the fact that OPM has not been a little more forward-leaning on things like protecting those who’ve been breached on credit information,” Warner said. “All the four senators from Virginia and Maryland called for an extended credit ranking time, longer than 18 months.”
Warner calls on IRS to work with OPM on protecting data
Warner sent a letter today to IRS Commissioner John Koskinen asking his agency work proactively with OPM to ensure that the personal information of those affected by the hack not be used to commit tax fraud.
Earlier this year, Warner’s father was a victim of tax fraud. Someone had used his Social Security number to divert his refund check to a fraudulent address.
“That has happened literally hundreds of thousands of times,” Warner said. “This could potentially happen to all of our federal employees and we need to be much more forward leaning into it.”
The OPM breach raises concerns in four broad areas: the breach itself, national security, performance of the agency in question and possible contracting irregularities.
Regarding the data breach itself, Warner said that OPM had requested $23 million in additional funding to beef up its data security. “Putting money on the front end to help better secure our data would make sense,” he said.
Warner plans to submit bipartisan legislation calling for a set of standards for when an agency should notify those affected when a data breach occurs.
Breach raises ‘enormous national security concerns’
As a member of the Senate Intelligence Committee, Warner would not comment on the national security aspect of the breach. But he did say that if it turns out the second breach compromised SF-86 forms, which contain the personal information of individuals seeking security clearances and their family members, that raises “enormous national security concerns.”
Regarding OPM’s response to the breach, Warner said he has not seen the level of focus and urgency he’d like to have seen considering the number of federal employees impacted.
“Why would OPM let this contract without any kind of real competition and a speeded-up process?” he asked. “I know they need to act quickly, but clearly OPM had the information, there’s been a data breach literally for months, and only more recently did they go ahead and notify employees. Why didn’t they move quicker? Then, when they did move, they’ve got a contractor that at least, on appearance’s sake, was not ready to take on the contract.”
If millions of people have been affected by the breach and it costs thousands to pay for credit monitoring, the breach has a huge financial impact as well.
“This is not only a governmental problem, but it is a pervasive private sector problem,” Warner said. “Estimates range from $24 billion to over $120 billion in costs each year due to hacking, both intellectual property and personal information. I believe that the number is much closer to the $100 billion-plus and it’s only getting worse. That’s why we need a comprehensive data breach bill. We need to have greater information sharing between the private sector and the public sector, in a safe, secure manner.”
Congress could also help matters by passing a comprehensive cybersecurity bill, Warner said.
“The fact that we are failing to act as Congress on this issue as it’s happening real time, the fact that we’re not getting OPM the additional resources that they need to beef up their security and, quite honestly, the fact that OPM has not been acting in what I think is a fast response and a leaning-in way, are all enormously, enormously troubling to me,” he said.