02:44 - Source: CNN
Failure to update software behind federal data breach
CNN  — 

Office of Personnel Management’s Director Katherine Archueta took sharp questioning from both Democrats and Republicans on the House oversight panel over the breach of millions of federal worker records by suspected Chinese hackers.

House Oversight Chairman Jason Chaffetz, R-Utah, told her “you failed, you failed utterly and totally,” when she would not say why the hacked data was not encrypted.

Chinese hackers are blamed for a hack of the Office Of Personnel Management two weeks ago that put personal information for 4 million federal workers at risk. Administration officials said last week that hackers may have stolen applications for security clearances, in a second hack.

RELATED: Hackers may have stolen applications for security clearances

A frustrated Rep. Stephen Lynch, D-Mass., said “I wish that you were as strenuous and hardworking at keeping information out of the hands of hacker as are at keeping information out of the hands of Congress” when not given a direct answer regarding whether hacked social security numbers were encrypted.

Rep. Elijah Cummings, D-Maryland. and the panel’s top Democrat, said “the picture is clear the United States of America is under attack. Sophisticated cyber spies, many from foreign countries are targeting the sensitive personal information of millions… millions of Americans.”

For his part, the government inspector reviewing a hack of government personnel records has determined that incomplete security across the system was at fault in part for the breach.

RELATED: China might be building vast database of federal worker information

Large portions of the OPM databases did not have security authorizations, according to an OPM audit completed months before the breach. Key databases housing sensitive national security data, including applications for background checks, had not met federal security standards, according to testimony prepared by the OPM’s inspector general for Tuesday’s congressional oversight hearing.

“Not only was a large volume (11 out of 47 systems) of OPM’s IT systems operating without a valid Authorization, but several of these systems are among the most critical and sensitive applications owned by the agency,” Michael Esser, OPM’s assistant inspector general for audits, wrote in testimony prepared for the House Oversight Committee.

Esser noted in his testimony that some problems had been identified in previous audits, dating back to 2007. But he also said some improvements had been made to the system.

CORRECTION: An earlier version of this story misidentified the gender of the government inspector authoring the report and misstated parts of how the report characterized the security breach.