Head of federal personnel agency resigns in wake of hacked databases

On the heels of the announcement that 22 million Social Security numbers were compromised, Katherine Archuleta steps down as director of the Office of Personnel Management.

Laura Hautala
Laura Hautala
Laura Hautala Former Senior Writer
Laura wrote about e-commerce and Amazon, and she occasionally covered cool science topics. Previously, she broke down cybersecurity and privacy issues for CNET readers. Laura is based in Tacoma, Washington, and was into sourdough before the pandemic.
Expertise E-commerce, Amazon, earned wage access, online marketplaces, direct to consumer, unions, labor and employment, supply chain, cybersecurity, privacy, stalkerware, hacking. Credentials
  • 2022 Eddie Award for a single article in consumer technology
Laura Hautala
3 min read

Office of Personnel Management Director Katherine Archuleta, who testified before US lawmakers last month about the hacks, told President Obama "it is best for me to step aside and allow new leadership to step in." Chip Somodevilla/Getty Images

The head of the federal agency whose databases were robbed of more than 22 million Social Security numbers resigned Friday. Katherine Archuleta, who is leaving the Office of Personnel Management, said she hoped her departure would help the government "to move beyond the current challenges."

Archuleta has faced criticism as the hacking crisis unfolded, and leaves her agency as it ramps up efforts to assist those affected by the hack, improve its systems to prevent further breaches and deal with potential liability in court. At the agency, she oversaw the worst breach in a string of attacks against government systems and Internet accounts that included a hacked CIA website, a breached military Twitter account and intercepted White House emails. A previous attempt on federal employee information was unsuccessful, The New York Times reported last year.

"I conveyed to the President that I believe it is best for me to step aside and allow new leadership to step in," Archuleta said in a written statement.

One of the biggest questions surrounding the hacks was the number of people affected. That question was answered Thursday, when the agency announced that two separate hacks had compromised the Social Security numbers of 22.1 million people. The hacks were first announced in June, a few weeks apart. The first hack only affected 4.1 million people, but a major union of federal workers wrote an open letter to Archuleta saying its leadership believed far more people were involved.

The next day, the agency announced the second hack, which affected the background check documents of applicants for federal security clearances. But the Office of Personnel Management declined until Thursday to clarify how many people were affected. The total was 21.5 million, including some 1.8 million who were not applicants for security clearances but were listed on other people's paperwork. About 3.5 million people were affected by both hacks.

All told, the hacks swept up the Social Security numbers and other personal information of about 6.8 percent of the American population.

The whereabouts and fate of that stolen information is impossible to know, security experts said. While the Office of Personnel Management said Thursday that no sign of misuse of the data has surfaced yet, that offers cold comfort to those involved because advanced criminals or spies are unlikely to tip their hand, said Chris Wysopal, an executive at code-debugging firm Veracode.

The Office of Personnel Management has not provided an estimate of how much the services they will provide to victims of the hacks will cost taxpayers, but they have said they will provide identity theft insurance, as well as credit and fraud monitoring, through contracted services.

In a congressional hearing in late June, Rep. Jason Chaffetz (R-Utah) grilled Archuleta on the extent of the hack, and at one point the now-resigned director said she was told by security experts that one tool for protecting the Social Security numbers -- encryption -- would not have helped.

Encryption encases sensitive information in code that only the intended recipient can read. Experts in the data security industry said it would have indeed helped protect the information.

"If you encrypt the individual bits of data and attach strong policy to it, it can't be opened no matter where it ends up," said Ajay Arora, CEO and co-founder of cybersecurity company Vera.

The lawsuit filed by the American Federation of Government Employees accuses the government and a contractor of negligence in protecting the data. Behnam Dayanim, an attorney at law firm Paul Hastings, said the employees have some high bars to clear before the government would be held liable for a lot of monetary damages.

However, he noted, the federal government is in an awkward position in trying to defend itself. Any reason they give for why they shouldn't be held liable could reflect poorly on them, Dayanim said.

"They government is somewhat constrained in the arguments it can make because of the optics and the politics."