After hack attacks, US government personnel office has some explaining to do

The Office of Personnel Management has some explaining to do.

Cyberthieves have pilfered the personal information of millions of federal employees - notably including the private data of those with security clearances - and the story seems to grow worse by the day.

While investigating a cyberattack on the information of about 4 million feds, officials discovered "a separate intrusion into OPM systems that may have compromised information related to the background investigations of current, former, and prospective Federal government employees, and other individuals for whom a federal background investigation was conducted," Samuel Schumach, OPM's press secretary, said Sunday.

The words "separate intrusion" don't amount to major news but do set this statement apart from a similar one Schumach issued Friday. It implied the hit on employees with background investigations was part of the larger attack that was announced on June 4.

Schumach would not elaborate on his statement, which leaves many questions unanswered.

The House Committee on Oversight and Government Reform has called OPM officials to a Tuesday hearing to answer those questions, but OPM has demurred, according to the chairman.

"We've had resistance from OPM in terms of attendance," Chairman Jason Chaffetz, R-Utah, said on Saturday. "I'm prepared to issues a subpoena if need be. They're going to come explain this to the public. No more hiding behind a press release." OPM objects to that characterization, saying it has been cooperative with the committee and does plan to participate in Tuesday's hearing.

So far, written statements are all the public and particularly federal employees have received from OPM. Those statements provide little comfort for the 4 million (or is it 14 million?) current and former feds, whose Social Security numbers were taken.

The June 4 OPM statement revealed that personally identifiable information for 4 million workers potentially was compromised in the breach that began in December and was discovered in April.

But on Friday, the Association Press said the records of up to 14 million people were exposed to hackers, a number OPM would not confirm, citing its ongoing investigation. Whatever the number, the fact that background investigations were hit is reason to worry.

Background investigations are done on federal employees, contractors and applicants who need security clearances. If you have one, presumably you are in a position to know government secrets. If there is "high degree of confidence," as OPM said, that the information of these individuals was targeted, then the thieves could be building their own database of well-placed federal employees for exploitation later.

The thieves apparently got hold of information on the SF (Standard Form) 86, the OPM "questionnaire for national security positions," as my colleague Ellen Nakashima reported. This 127-page form asks for detailed information, including birth dates, addresses, height, weight, hair color, eye color, phone numbers, e-mail addresses, schools, passport numbers, previous addresses, names and contact information for people related to the previous addresses, previous jobs and supervisors at previous jobs.

It goes on and on and on.

The compromise of security clearance information is one important area Chaffetz and Rep. Elijah Cummings, D-Md., the top Democrat on the committee, are eager to probe. They have many other questions for OPM officials, including some on basic points, such as how many people were affected by the breach.

"At first they were talking about 4 million, then I hear about 14 million," Cummings said Sunday. "That's a big difference. . . . What's that about?" Here are some of the other questions Chaffetz and Cummings listed: What was the size and scope of the attack? Why did it take so long for OPM to become aware of the breach? What is being done to notify employees and protect them from future harm? What is the full extent of the information taken? Can that information be used to compromise those with security clearances? What was done to prevent a cyberattack? What happens after an attack? How did OPM get into this fix? Questions such as those work to undermine the trust some federal employees and members of Congress have in OPM.

"I don't trust them. I don't know why they should," Chaffetz said. "I really do worry about this." Cummings and others are willing to cut OPM a bit more slack.

"We are living in an age where our privacy is at risk," said Carl Goldman, executive director of American Federation of State, County and Municipal Employees Council 26, which represents staffers at the Library of Congress and the Agriculture and Justice departments, among other places. "Those who try to protect us from privacy invasions have a difficult job." Cummings said it's not a question of trust but of the government's capability to thwart an attack.

"That's what I'm concerned about," he added. "Do we have the capability, and are we doing all we can do?" If the answer is yes, then yes isn't good enoough.