Roll Call: OPM Hack Snares Senators

Despite a number of congressional hearings and classified briefings, lawmakers are frustrated by the lack of information relating to the recent Office of Personnel Management data breaches, and it is now clear  some lawmakers’ records may have been affected.

At least two current senators who were not federal employees were notified their information may have been compromised, signaling that retirement records for former House members may have been compromised in the first security breach, which the OPM announced on June 4.

Sens. John Boozman, R-Ark., and Steve Daines, R-Mont., received letters from the OPM saying their personal identifiable information such as dates of birth and Social Security numbers may have been compromised. “I don’t really know how I got caught up in it,” Boozman told CQ Roll Call Tuesday evening. Daines assumed his former House service was the cause.

“I think because I was in the House for one term, when you go to the Senate you have a break in service technically,” Daines recently told CQ Roll Call. “And I guess that’s part of the reason that there was that trigger.”

Daines was sworn in as a senator at the beginning of this year and is 1 of 53 current senators who came from the House. According to a spokesperson for the House Chief Administrative Officer, when a House member leaves office, his or her information is sent to the OPM, which is similar to the process for congressional staffers leaving the legislative branch.

The same is true for former senators, according to a source with the Office of the Secretary of the Senate, which handles daily Senate operations. But a handful of former senators contacted by CQ Roll Call who were neither federal employees nor House members previously said they did not receive a letter from the OPM, which could signal that Senate retirement records might not have been affected.

Asked if the breach raised concerns about how personnel information is handled for Capitol employees, Boozman said, “I’ve got great concern about how all the information’s handled. And we really don’t know how it is handled.”

Boozman and Daines were among the more than 4 million people who received a notice in June saying their information may have been affected in a data breach. The OPM first detected the breach in April 2015 and, a month later, the agency discovered a second intrusion relating to federal background investigations. The agency has not yet disclosed how many current, former and prospective federal employees were affected by the second breach, but is expected to release an estimate later this week.

It is possible not all former House members were affected. For example, Sen. James Lankford, R-Okla., who sits on two committees with jurisdiction over the OPM — Homeland Security and Governmental Affairs and the Financial Services and General Government Appropriations Subcommittee — did not receive a notice from the agency, though he once served in the House.

Lankford has joined other lawmakers in demanding answers relating to the breaches. On July 2, Lankford penned his second letter to the agency, after sending a letter to OPM Director Katherine Archuleta in June. In the July letter obtained by CQ Roll Call, Lankford wrote that “questions remain unanswered.”

“Accordingly, in addition to the obvious cybersecurity concerns that arise from this breach,” Lankford wrote, “I am concerned with the lackadaisical management that OPM has displayed in its wake.”

Lankford has not gone so far as to call for Archuleta to step down, though some of his Republican colleagues in the House and Senate, including Daines, have. On June 26, Republicans on the House Oversight and Government Reform Committee wrote to President Barack Obama, urging him to remove Archuleta and OPM Chief Information Officer Donna Seymour from their posts for failing to take steps to prevent the intrusions.

When asked Tuesday evening if Archuleta should step down, Boozman, who chairs the Financial Services and General Government Appropriations Subcommittee that has jurisdiction over OPM funding, said he would reserve judgment until they have more information on what happened. “I think that somebody needs to accept responsibility and the question is who that is,” he said.

In addition to a concern for lack of information and mismanagement, lawmakers are also raising questions about the credit monitoring service offered to those affected by the breach. The OPM has offered 18 months of a credit monitoring service along with identity theft insurance, and lawmakers, especially those with throngs of federal employees for constituents, are concerned it is not enough.

“It’s uncertain as to the vulnerabilities,” Sen. Benjamin L. Cardin, D-Md., said after a closed-door briefing on the breach on June 23. “I think the federal workforce should have a greater comfort level that the government’s standing behind them.”

Sen. Susan Collins, R-Maine, went further, raising questions about the credit monitoring when describing her own experience enrolling in the service. Collins worked in the legislative and executive branches before being elected to the Senate and received a letter that information was compromised in the first breach.

“Now here’s the irony: This [credit monitoring] form requires you to put in your Social Security number, your date of birth, your home address,” Collins told reporters after the classified briefing. “So it’s like, boy, I hope they bothered to encrypt this one. I mean, I really debated whether to fill it out.”

Archuleta has stressed at hearings that she is angry about the breach and understands workers’ concerns. The OPM has also attempted to respond to criticisms, detailing in a June 24 report additional actions to bolster cybersecurity. Those 15 new steps included reviewing data encryption, consulting with outside experts, and conducting monthly reviews with top leadership.

But detailing security efforts did not appear to quell lawmakers’ concerns. Collins also said, “I have absolutely no confidence that this could not happen again tomorrow.”