OPM Director Resigns After 21.5 Million Social Security Numbers Stolen In Data Breach

News
By Lucian Armasu
published

Katherine Archuleta, director of the Office of Personnel Management (OPM), handed her resignation to President Obama after the data of 21.5 million people was compromised in the largest data breach in the U.S. government's history. The leaked information contained social security numbers, fingerprints, login credentials and background investigation records.

According to Josh Earnest, the White House press secretary, she offered her resignation "of her own volition." Archuleta realized that the agency "required a manager with a set of specialized skills and experiences." In other words, someone with much more experience in security and cryptography.

At an earlier House hearing on the OPM hack, many committee members thought Ms. Archuleta should be fired for allowing such a devastating attack to happen under her watch and for not properly protecting the sensitive information of millions of federal employees.

The Inspector General has been warning the OPM for many years that its security measures weren't strong enough, but his recommendations to enable two-factor authentication and database encryption, for instance, were not followed. Even after the attack, director Archuleta didn't seem in a hurry to collaborate with the Inspector General on this.

The new acting director of OPM will be Beth Cobert, who was up until now the U.S. chief performance officer and deputy director for management at the Office of Management and Budget. OBM is the same agency that a few weeks ago published new security policies, which required all federal websites to adopt HTTPS encryption by the end of 2016.

In the earlier House hearings, many believed that Donna Seymour, the Chief Information Officer of OPM, was at least as responsible, if not more so, as Katherine Archuleta, the agency's director. That's because Donna Seymour was the person specifically in charge of the security of the OPM. However, the White House hasn't called for her resignation, so far. It's possible, though, that with a new director in charge, the CIO could be replaced soon as well.

Follow us @tomshardware, on Facebook and on Google+.

Lucian Armasu
Lucian Armasu
Lucian Armasu is a Contributing Writer for Tom's Hardware US. He covers software news and the issues surrounding privacy and security.
10 Comments Comment from the forums
  • jimmysmitty
    Archuleta realized that the agency "required a manager with a set of specialized skills and experiences." In other words, someone with much more experience in security and cryptography.

    The security and identities of people need to be protected by someone who understands cyber security? No.......

    As usual the government shows me why I am glad I don't work for them. They tend to put people in places of power with no idea of what they are actually doing.

    My wife works for the Arizona DPS, and might have to worry about this since she is in the Air National Guard too, and they have one of the most inept IT departments I have ever seen. One of her co-workers husbands runs his own IT consultation firm and I do IT for a national sand and gravel company and both my wife and her co-worker call us for computer problems before even going to their IT department.

    Just upsetting.
    Reply
  • CSA_Myth
    Jimmy you are 100% correct and it has only gotten worst over the last few years. I can not say where i work or what my current duties are (of course OPM has already lost that information), but I can say I work government IT and security.

    The major issue is the government is still in a react to technology state. They are never in the forefront of change and it has bit them more times than once. It also doesn't help with all the cut downs and draw backs, the interns and the lower level employees who actually do the work and understand the technology/security get let go and the higher ups who are left have no clue what they are doing when those duties get dumped in their lap.

    The government needs to re-access their priorities and move to a secure and proprietary system, but no they will still use systems that run windows, connect to Facebook, miss IAVA updates, not use HTTPS, not enforce two-factor authentication and let anyone with any skill to hack them out of their precious information.

    Hopefully this will finally bring some of these issues to light, but I will not hold my breath.
    Reply
  • CROOKID
    Archuleta realized that the agency "required a manager with a set of specialized skills and experiences." In other words, someone with much more experience in security and cryptography.

    The security and identities of people need to be protected by someone who understands cyber security? No.......

    As usual the government shows me why I am glad I don't work for them. They tend to put people in places of power with no idea of what they are actually doing.

    My wife works for the Arizona DPS, and might have to worry about this since she is in the Air National Guard too, and they have one of the most inept IT departments I have ever seen. One of her co-workers husbands runs his own IT consultation firm and I do IT for a national sand and gravel company and both my wife and her co-worker call us for computer problems before even going to their IT department.

    Just upsetting.

    Agreed.

    How about I am at the last steps for a specific well positioned government job (I won't mention which) which is a psych eval and I am at a stand still because of a true and false question I answered a certain way accidentally about my sexual activity.

    All after I had to jump through hoops to get appointments because of incompetent social workers (who spoke poor English) handling my application process. Father, uncle, aunt and cousins all in or retired after 40+ years as well positioned government employees.

    You would think half of this is okay because at least they are screening properly. Nope. It's because my application is taking longer due to having a lengthy work history because I didn't apply right out of college. Those people already got their respective jobs.

    My father developed statistical reporting strategies still used today in supreme courts. But take your time because I broke my ass my whole life and have a long track record of positive work ethic... (sarcasm)

    Then they wonder why their employees screw up. It starts at the core. The hiring, screening and evaluations used to employ government workers has become stringent in the wrong direction.
    Reply
  • TheSecondPower
    The Fed prosecutes companies for leaking data, and now it has leaked more than almost any company it has ever prosecuted. And I haven't even heard about anyone even getting a slap on the wrist for this. The Federal government is so hypocritical.
    Reply
  • RedJaron
    Just another in a string of incompetent people put in positions without knowing anything about it. Nearly anyone on these forums would know that a laptop hard drive crashing doesn't lose emails from the actual system. Most of us would know how to set up and properly secure a private email server as well. And now this, where she was given years of advice to secure systems and never actually implemented the measures. Seriously, where do I apply for these jobs? I wouldn't mind the extra money, and I sure couldn't do any worse a job then we've seen in the last couple years.
    Reply
  • eriko
    It does make you wonder what goof-up you would have to commit to actually get fired there...
    Reply
  • RedJaron
    16229082 said:
    It does make you wonder what goof-up you would have to commit to actually get fired there...
    What do you mean? These people don't get fired, they get promoted to other divisions.
    Reply
  • George Phillips
    In this Internet and information age, she is apparently unfit to be at this position. She could have resigned much earlier. But she stayed and got our tax money.
    Reply
  • merikafyeah
    At this point it is best to realign one's expectation to reflect that ALL companies are insecure unless you explicitly know otherwise.
    Reply
  • 10tacle
    Just another in a string of incompetent people put in positions without knowing anything about it. Nearly anyone on these forums would know that a laptop hard drive crashing doesn't lose emails from the actual system. Most of us would know how to set up and properly secure a private email server as well. And now this, where she was given years of advice to secure systems and never actually implemented the measures. Seriously, where do I apply for these jobs? I wouldn't mind the extra money, and I sure couldn't do any worse a job then we've seen in the last couple years.

    With this administration, you do not apply. You just have to be a friend of it, and a certain demographic, that's all. This woman was Obama's 2012 Re-Election Campaign Director, for example.

    But as we've seen so many times with this administration and previous ones for that matter, political expedience and demographic checkmate experience and qualification time and time again.
    Reply