Congressman Leonard Lance (NJ-07) tonight called for the resignation of Office of Personnel Management Director Katherine Archuleta and Chief Information Officer Donna Seymour following today’s disclosure that the personal information of more than 21 million federal employees was compromised in a data breach.
“The size of the breach is shocking. These two senior level managers are directly responsible for ensuring the protection of the agency’s massive technological network and have repeatedly failed to improve or secure the system despite years of warnings and successful attacks. The OPM has displayed no urgency to improve its cybersecurity posture. Change is needed in leadership to implement the types of reforms that will protect the sensitive information of federal workers. Director Archuleta and Donna Seymour should be terminated immediately,” said Lance, the vice chair of the Commerce, Manufacturing and Trade Subcommittee which has examined data breaches on consumers.
More than 21 million Social Security numbers and sensitive information — including fingerprint data — were compromised in a breach that affected a database of sensitive information on federal employees held by the Office of Personnel Management (OPM), the agency announced Thursday. That number is in addition to the 4.2 million social security numbers that were compromised in another data breach at OPM that was made public in June.
Beyond the fingerprints and Social Security numbers, some of the files in the compromised database included “residency and educational history; employment history; information about immediate family and other personal and business acquaintances; health, criminal and financial history; and other details,” OPM said.
Lance co-signed a letter led by Oversight and Government Reform Committee Chairman Jason Chaffetz (UT-03) calling for the resignation of Office of Personnel Management Director Katherine Archuleta and Chief Information Officer Donna Seymour:
July 10, 2015
The White House
Washington, D.C. 20500
Dear Mr. President:
The failed cybersecurity posture and management of information technology at the Office of Personnel Management (OPM) has resulted in at least 21.5 million Americans’ having their personal, private and highly-sensitive data exposed to our Nation’s adversaries. The recent data breaches at OPM resulted not only from failures in technological investment and fundamental management, but from agency leadership.
The breach of OPM’s network has been deemed a “significant” national security concern by the Office of the Director of National Intelligence. The fact that OPM has suffered three known network breaches since November of 2013 demonstrates that hackers, likely foreign nations, are invading federal networks with impunity.
Director Archuleta and her leadership team failed to heed the warnings stemming from prior breaches of OPM’s networks and even by their own Inspector General as to the “material weakness” of OPM’s data security. Dating back to 2007, reports by the OPM Inspector General detail systems lacking proper security authorizations as well as failures to segment or encrypt data so sensitive that experts have referred to it as “a goldmine for foreign intelligence service[s].” These shortcomings left OPM’s systems at a high risk of vulnerability to attack. OPM Director Katherine Archuleta and Chief Information Officer (CIO) Donna Seymour were on notice and failed to act.
In her testimony before the Senate, Director Archuleta stated that she, “[doesn’t] believe anyone (at OPM) is personally responsible.” We disagree. Director Archuleta and Ms. Seymour failed to follow basic cybersecurity best practices, ignored years of warnings from their agency’s Inspector General, and are currently mismanaging changes to OPM’s legacy system.
Director Archuleta and Ms. Seymour have testified multiple times before Congress since the data breach was made public. In each instance, they failed to adequately explain or justify their management of OPM’s IT infrastructure and cybersecurity posture. This is simply unacceptable. The United States Office of Personnel Management is in need of leaders who understand and can confront cyber threats. Director Archuleta and Ms. Seymour have demonstrated that they are not up for this task.
In January, during your State of the Union address you stated, “No foreign nation, no hacker, should be able to shut down our networks, steal our trade secrets, or invade the privacy of American families.” We could not agree more. We respectfully request that you remove Director Archuleta and Ms. Seymour from their positions, and install new leadership capable of effectively protecting the data of millions of Americans.
Thank you for your attention to this important matter.