A March 2014 cybersecurity breach at the Office of Personnel Management may have contributed to the theft of the personal information of millions of federal employees, according to a top lawmaker.
Rep. Jason Chaffetz, R-Utah, the chairman of the House Oversight and Government Reform Committee, said during a June 24 hearing that a previously reported incursion into OPM's systems in March, 2014 actually got more information than previously reported.
That information might have led to the widely reported breach discovered in April where more than 4 million federal employees had their personally identifiable information stolen by hackers.
OPM Director Katherine Archuleta said in the hearing that no personally identifiable information was lost, but CIO Donna Seymour said the hackers took documents containing information related to OPM's IT security systems, its servers and its network infrastructure.
"That would give you enough information that you can learn about the platform, the infrastructure of our systems," Seymour said in the hearing.
Chaffetz called Archuleta's previous statements regarding that breach "misleading" and "a lie," because while the hackers did not get personal information related to federal employees they still got valuable information regarding OPM systems.
"This was the first step. It allowed them to come back," Chaffetz said.
Archuleta also addressed media reports regarding the number of federal employees affected by the breach, saying that the investigation was ongoing and that reports of up to 18 million people affected were premature.
"As I have noted we continue to analyze the background investigation as rapidly as possible to best understand what was compromised and we are not at a point where we are able to provide a more definite report on this issue," Archuleta said.
Chaffetz pushed for more specific numbers regarding the people affected, saying that pervious OPM testimony to Congress showed the agency safeguarded the information of up to 32 million people.
But Archuleta said the agency was still investigating the breaches and was not at a point where it could report a number of people who were affected.