U.S. personnel chief: Contractor’s credential used to breach system
Washington — The head of the government agency that suffered two massive cyberattacks said Tuesday that a hacker gained access to its records with a credential used by a federal contractor.
Katherine Archuleta, director of the Office of Personnel Management, told a Senate hearing that an “adversary” somehow obtained a user credential used by KeyPoint Government Solutions, a contractor based in Loveland, Colorado.
She didn’t say specifically when that occurred or if it was linked to the two cyberbreaches that exposed private information on nearly every federal employee and personal histories of millions with security clearances.
“I want to be very clear that while the adversary leveraged — compromised — a KeyPoint User credential to gain access to OPM’s network, we don’t have any evidence that would suggest that KeyPoint as a company was responsible or directly involved in the intrusion,” she said.
The agency has not identified any “pattern or material deficiency” that led to the compromise, Archuleta said, and the company has actively worked to secure its network and meet additional protective controls the government has asked.
President Barack Obama has said he continues to have confidence in Archuleta, although several Republican and Democratic lawmakers have called for her ouster. She blamed old computer networks and told the Senate panel that nobody was personally responsible for the cyber break-ins.
“If there is anyone to blame, it’s the perpetrators,” she said.
Archuleta said the cyberattacks were discovered because of OPM’s stepped-up efforts in the past 18 months to improve security, but she acknowledged the office still has work to do. She said that in fiscal 2014 and 2015, the agency committed nearly $67 million toward shoring up its information technology infrastructure and in June of last year began completely redesigning the network.
She said that work is on schedule and on budget, that OPM has added firewalls and a better authentication process for remote access and that it is increasing the types of ways used to encrypt data. A new data center network is expected to be completed by the end of this fiscal year. The agency’s budget request for fiscal 2016 includes an additional $21 million above 2015 to further support modernization.
Copyright 2015 The Associated Press. All rights reserved. This material may not be published, broadcast, rewritten or redistributed.