Personnel Director Says She Isn’t To Blame After Two Giant Hacks

“If there is anyone to blame it is the perpetrators.”

The director of the Office of Personnel Management has a response to legislators calling for her head in the aftermath of two devastating government hacks: Don't blame me.

During a testy hearing Tuesday in front of a Senate appropriations subcommittee, Katherine Archuleta, OPM's top official, said that no one at her agency should be held personally responsible for the security failures that allowed malicious hackers access to the personnel files and sensitive background information of millions of current, former, and prospective federal employees.

"If there is anyone to blame it is the perpetrators," Archuleta said, adding that battling cybersecurity threats is a responsibility for "all of us." Archuleta also said that OPM's legacy IT infrastructure poses significant challenges. "This is decades of lack of investment in the systems we inherited when I came in."

In other words, Archuleta tried to place blame not on any individual, but on a long-neglected system she's now attempting to correct. "I don't believe anyone is personally responsible," she said. "I believe we are working as hard as we can to protect the data of our employees."

Archuleta had previously testified that federal employees' social security numbers had not been encrypted when they were stolen. However, she did say on Tuesday that even if the data had been encrypted, hackers still would have been able to obtain and read it (she said her IT colleagues informed her of this but she didn't go into further detail about how they knew it). Archuleta told the Senate panel that notifying employees about the data breach and providing them with credit monitoring services cost the government between $19 million and $21 million.

According to a CNN report, Director of the FBI James Comey told Senators in a closed-door briefing that an estimated 18 million people were affected by the hack. But at the public hearing, Archuleta placed the official number at four million employees.

The scope and nature of the second theft — which was discovered after a reaction team started investigating the first hack in April, and which includes extensive information about workers who have applied for a security clearance — is still unknown. Archuleta couldn't provide more details, saying the investigation into the second hack is ongoing. US officials believe Chinese hackers are behind the data breach.

Archuleta's responses will likely aggravate tensions between her and members of the House Oversight Committee. Following a tempestuous hearing in front of that panel last week, chair Jason Chaffetz called for Archuleta's resignation, along with that of her Chief Information Officer, Donna Seymour. Rep. Ted Lieu, another member of the oversight committee, expressed his frustration with Archuleta's management and called for someone within OPM's senior leadership to take responsibility and step down. In what will likely be a turbulent hearing, Archuleta will face the oversight committee tomorrow in a second round of questioning over the OPM breach.