Weeks after the news of the Office of Personnel Management hack originally broke, the agency still doesn’t have a firm grasp on the number of employees affected. However, the real number might be four times worse than originally estimated. CNN reports that during “a closed-door briefing to Senators in recent weeks,” FBI Director James Comey suggested that 18 million people’s information could be compromised, including social security numbers, based on the OPM’s internal investigation. That number includes current and former federal employees, plus applicants. James Trainor, acting assistant director for FBI, supported his colleague’s claim.
However, the OPM has not changed its original estimate of 4.2 million and Tuesday the agency supplied senators with few answers to their many questions. “Generally, we don't yet know the magnitude of the breach, or the consequences, or number of federal employees, or personal information—the scope of the damage done,” Kansas Republican Sen. Jerry Moran said, according to the National Journal. But maybe that’s because there aren’t any great answers to give: The Wall Street Journal reports:
Estimates have been all over the place. Some people familiar with the investigation said that the breach could have compromised as many as 18 million records, but Tony Scott, the White House’s chief information officer, said in an interview Tuesday that those estimates are off base. He said some of names on stolen files could be on other files, and officials are trying to “deduplicate” the files to tally the total number of affected people.
“It’s a number that nobody knows at this point,” he said. “Anybody who gives you a number is just speculating at this point.”
Katherine Archuleta, director of the OPM, will continue making the rounds in Washington, D.C., as she answers, or dodges, questions from lawmakers. This week, Archuleta will appear in front of the Senate Homeland Security Committee, and she will speak again to the House Oversight Committee.
While some have called for her resignation, Archuleta has passed the blame onto the OPM’s legacy systems. And on Wednesday, the OPM released its 15-step plan for bolstering its defense against cyberattacks, including a heavier reliance on encryption, two-factor authentication, and advising from outside security firms.
As the OPM is forced to reckon with its responsibility in this breach, questions remain about the source of the hack and the motive. Slate’s David Auerbach previously wrote, “We don’t know quite yet exactly how it happened or who did it, despite some eager gestures at China.” Congress’ inquiry into the hack coincides with U.S.-China talks this week—and cybersecurity is on the agenda.