Fix the federal hacking breach

Witnesses, from left, Office of Personnel Management (OPM) Director Katherine Archuleta; OPM Chief Information Officer Tony Scott; Assistant Secretary of Office of Cybersecurity and Communications National Protection and Programs Directorate at the Department of Homeland Security Andy Ozment, and OPM Inspector General Patrick E. McFarland, testify on Capitol Hill in Washington, Thursday, June 25, 2015, before the Senate Homeland Security and Governmental Affairs Committee hearing on federal Cybersecurity and the OPM Data Breach. (AP Photo/Susan Walsh)

The fallout from the appalling security breach of federal employee records from the Office of Personnel Management continues to spread. And with agency director Katherine Archuleta expected this week to release the presumably final tally of people whose information was compromised, the full extent of this scandal should come into clearer — and even more alarming — focus.

As Thursday’s Washington Post reported: “The stolen information included names and Social Security numbers that cyber thieves can use for espionage or bogus financial transactions. But health information of individuals seeking security clearances apparently also was tapped in another breach OPM announced several days after the first one.”

And apparently there wasn’t just one break-in to the OPM files. The first was into a system containing personal information on about 4.2 million current and former federal employees. The second more serious breach gained access to systems with the personal files of people applying for security clearances.

As the OPM put it, breached systems “included those that contain information related to the background investigations of current, former, and prospective federal government employees, as well as other individuals for whom a federal background investigation was conducted.”

Nor is OPM the only federal agency with data-security problems. From U.S. News & World Report last week:

“According to the Government Accountability Office, the number of ‘information security incidents’ in which federal data were compromised — which is a softer way of saying stolen — has risen from 5,503 in 2006 to 67,168 in 2014. That information was conveyed to the U.S. House Homeland Security committee by Gregory Wilshusen, the GAO information security director, who also said the National Cybersecurity Protection System may just not be effective at keeping intruders out of government data.”

Nearly three weeks ago, the OPM’s inspector general said the agency’s plans to upgrade its systems and make them more secure were so poorly designed and funded that there is “a high risk that this project will fail to meet the objectives of providing a secure operating environment for OPM systems and applications.”

More evidence of the agency’s incompetent reaction to the crisis: It gave a $21 million contract to a firm that has proven itself incapable of handling the traffic generated by queries from the millions of affected individuals.

The Post also has reported that the website created by the contractor to which OPM refers inquiries frequently crashes, and that a phone hotline provided as a backup is so poorly staffed that people wanting to sign up for identity theft insurance and other protections offered by OPM have had to spend as long as three hours on hold.

Sen. Mark Warner, D-Va., fairly observed: “The agency’s awarding of this contract suggests ... that protecting employees exposed by the breach is not the top priority for OPM that it should be.”

Correcting this intolerable shortcoming must become a top priority for Congress and the White House.