The latest news about the massive data breach at the U.S. Office of Personnel Management indicates there may be even more personal records at risk than previously disclosed.
Even more alarming is that it appears that the OPM's attempts to fix the problem may be adding even more risk, which suggests that federal officials don't have a clear idea of how to improve the security of sensitive government databases.
The bad news came this week during Congressional hearings when OPM director Katherine Archuleta was asked exactly how many people were at risk because of the breach. Archuleta declined to give an exact number, although she admitted that the current best guess of 17 million could be correct, but also that the number could go higher. Note that this number has risen from estimates that circulated a week ago.
Archuleta was asked if the number could go as high as 32 million records. She declined to provide a number.
So at this point, nobody really knows just how many government employees, retired employees, former employees, military personnel and individuals with security clearances have had their records taken, but the current best guess is that it's all of them. The reason there's no exact number is because nobody is sure how many records there are to take.
Fortunately, someone at OPM figured out that the agency needed to install some form of security management software for its systems. Unfortunately, whoever decided what management system to get didn't go through proper channels, didn't select an approved system and apparently didn't clear the software (or the acquisition process for that matter) with anyone.
If there is good news here, it's that the software which had just been installed back in April when the breach was discovered, apparently worked well enough to find the intrusion. But the security management system only works on part of OPM's computer systems. The rest are old, incompatible, COBOL-based mainframe computers that have never been updated.
After OPM Inspector General, Patrick McFarland, took a look at the agency's efforts to improve its data systems security, he issued something called a "flash audit alert," which is exceedingly rare.
A copy of the audit alert report, obtained by the Associated Press, said that the situation requires immediate action. "There is a high risk that this project will fail to meet the objectives of providing a secure operating environment for OPM systems and applications," the report said.
The IG report also said that OPM initiated the project without a complete understanding of the agency's technical infrastructure, the scale of the project or even the projected cost. From there it gets worse.
It turns out that in addition to the two breaches that OPM has already admitted to finding, a third breach was discovered at OPM systems hosted at the Department of the Interior. That breach apparently happened due to an infected computer that was compromised at a contractor location.
During their testimony, OPM officials have reported that more than half of the work being done on those government systems was being performed by contractors. And where were those contractors located?