(Bloomberg News) -- A key House lawmaker reprimanded the U.S. Office of Personnel Management on Tuesday for lacking security to prevent hackers from gaining personal data on current and former federal workers, and urged its top officials to resign.

“You failed utterly and totally,” Representative Jason Chaffetz, a Utah Republican and chairman of the Oversight and Government Reform Committee, said in describing the agency as “grossly negligent.” He said managers didn’t move faster to take precautions recommended for years by government auditors.

The breach of OPM’s networks “may be the most devastating cyber-attack in our nation’s history,” Chaffetz said during a hearing in Washington. “We’re talking about the most vital information of the most sensitive nature of the people we care about most.”

The hearing is the first in Congress since OPM disclosed hackers had breached its networks. The agency initially said records were stolen on more than 4 million current and former federal employees. On June 12, White House officials said the same hackers may have accessed a second set of records, including information related to background checks for workers to gain security clearances.

The Obama administration said in a statement the second attack included “prospective federal employees, and those for whom a federal background investigation was conducted,” such as contractors and people considered for jobs who weren’t hired.

Resignation Sought

Chaffetz after the hearing called on OPM Director Katherine Archuleta and her chief information officer, Donna Seymour, to step down, citing what he said was his lack of confidence in their ability to make changes.

“Those two had an opportunity to right the ship,” Chaffetz said. “They were given strong recommendations over a series of years but they didn’t get it done and there should be consequences. If we want a different result, we’re going to have to have different people.”

The number of current, former and private-sector employees affected by the breach probably will exceed 4 million, Archuleta said in response to lawmaker questions. She declined to provide a total, citing the continuing investigation.

Archuleta said some records potentially compromised dated to 1985 and could span the entire career of a government worker. She also said Social Security numbers in OPM’s databases weren’t encrypted. She and other Obama administration officials declined to say at the hearing if the Chinese government was behind the attack.

‘Constant Attack’

Archuleta and Homeland Security Department Secretary Jeh Johnson are scheduled to provide all House members a classified briefing later Tuesday on the attack.

In testimony before being questioned, Archuleta said the agency fends off an average of 10 million hacking attempts a month and the attacks will increase.

“Government and non-government entities are under constant attack by evolving and advanced persistent threats and criminal actors,” she said.

Archuleta said the detection of the attacks was an example of improved security monitoring by the agency.

“We discovered these intrusions because of our increased efforts in the last 18 months to improve cybersecurity at OPM, not despite them,” Archuleta said.

However, lawmakers cited a report from OPM’s inspector general last year that recommended Archuleta shut computer systems that lacked security validations. Archuleta said she didn’t disable the systems because it could have negatively affected other databases and records.

Total Triples

Hackers could have accessed data tied to 14 million people, more than triple the total disclosed by OPM, according to a lawmaker briefed on the investigation who asked not to be identified discussing classified information.

Bloomberg News previously reported that records on background investigations were accessed by hackers.

Many more people besides government employees are at risk of having their personal information compromised as a result of the breach, said Brian Kaveney, a partner with Armstrong Teasdale LLP in St. Louis who heads the firm’s security and facility clearance team.

Applicants for security clearances -- who submit 127-page forms that also may have been hacked -- list information for people used as references. That means people with no connection to the government may also have their credit and personal information at risk after the breaches, he said.

‘Best Friend’

“This means your pastor, your best friend, your mother, all their credit info and personal info is at risk,” Kaveney said in a phone interview. “We’re not just talking about the 4 million government employees. You have to multiply it by all the people listed on their clearance forms.”

Other witnesses at Tuesday’s hearing included Seymour; Tony Scott, U.S. chief information officer; and Sylvia Burns, chief information officer for the Interior Department, where OPM’s data was hosted.

Burns said the hackers had access to all information stored in the Interior Department’s data center, meaning the attack potentially compromised records from other agencies beyond OPM. However, the investigation so far hasn’t found data from other agencies was stolen, she said. She also said the hackers used “very sophisticated tactics,” without elaborating.

Panel Rebuffed

Government contractor United States Investigations Services LLC, now part of Altegrity Inc., refused to testify about a hacking attack last year, said Representative Elijah Cummings of Maryland, the top Democrat on the oversight panel.

Cummings said he wants to know if hackers who breached USIS and another contractor, KeyPoint Government Solutions Inc., used stolen data to break into OPM’s networks.

“I believe USIS and it’s parent company may now be obstructing this committee’s work,” Cummings said during the hearing.

Separately, the Department of Homeland Security said on Monday that as many as 390,000 current and former DHS employees, contractors and job applicants potentially had their data compromised in another hacking attack last year. The hackers breached a contractor’s network, DHS spokesman S.Y. Lee said in a statement.

“To date, no nefarious activity associated with this potential intrusion has been observed,” Lee said. “We are committed to ensuring our employees’ privacy and take very seriously our responsibility to protect sensitive data in background investigations.”

Register or login for access to this item and much more

All Information Management content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access