OPM Faces More Criticism for Mishandling Data Breach
The Office of Personnel Management, the federal agency responsible for the theft of the personal information of more than 21 million Americans, is once again facing criticism–this time for failing to follow the appropriate procedures before awarding a federal contract to an identity theft protection agency.
OPM announced the cyberattack, which has been linked to China, this June. The personnel files of 4.2 million current, former and prospective federal employees were stolen, and the information taken included full names, birth dates, home addresses and social security numbers.
At that time, OPM hired a company called CSIdentity to provide identity theft protection services to those affected. The contract, which was worth almost $21 million, was granted in only three days. Individuals who used the service complained of long wait times, website crashes and incomplete policies.
OPM’s Inspector General, Patrick McFarland, released a report earlier this month that found the agency did not follow proper procedures when it hired CSIdentity.
On December 10, after reading McFarland’s report, House Oversight Committee Chairman Jason Chaffetz called for the firing of OPM’s chief information officer.
“I write once again to augment my concerns that Ms. Donna Seymour, chief information officer for the Office of Personnel Management, is unfit to perform the significant duties for which she is responsible,” Chaffetz wrote in the letter. “It is troubling that yet another IG report has found that Ms. Seymour failed to effectively fulfill her duties.”
After the initial breach, OPM discovered a second incident had occurred in its security-clearance system, which compromised the personal information of 21.5 million people who had applied for security clearance or had their clearance renewed since 2000. OPM did not hire CSIdentity to handle this second breach and began a more comprehensive search.
The organization has also come under fire for its security practices. The Inspector General had warned OPM about security weaknesses before the attack and continues to find deficiencies in the organization’s information security procedures. OPM is in the process of upgrading its information technology.