Top Federal HR Official Resigns After Massive Data Breach


By Roy Maurer July 10, 2015

The historic data breach affecting more than 20 million current and former federal employees and the resignation of the official in charge of the government’s human resources office highlight HR’s critical responsibility for protecting employee information.

Office of Personnel Management (OPM) Director Katherine Archuleta resigned July 10, 2015, a day after revealing that recent data breaches of government systems affected 21.5 million current and former employees, contractors and their family members.

The compromised data includes personnel information such as health, financial and criminal records as well as the background checks used to screen potential employees. Anyone who underwent a federal background investigation from 2000 on “is highly likely” to be affected, OPM announced.

“By their very nature, HR departments are a treasure trove of data, as they’re responsible for protecting employee information ranging from home addresses to Social Security numbers,” data security expert Nigel Johnson of Zix Corp., told SHRM Online in June when the secondof two breaches was announced. “To ensure data security, it’s crucial for companies to nail the basics, including proper training of employees that come in contact with sensitive information and implementing the right tools, such as e-mail encryption and data-loss prevention technology. It is up to HR and IT to work together to ensure the right data-protection tools are in place and training is thorough so, at the very least, the communication of sensitive information is secure,” he said.

The largest data theft in American history began when intruders gained access to employee credentials stolen from an external contractor, highlighting that OPM failed to properly protect user accounts with privileged access.

Stu Sjouwerman, founder and CEO of IT security company KnowBe4, based in Clearwater, Fla., outlined perennial best practices for employers to use to protect employee credentials, including:

Deploying wall-to-wall two-factor authentication.

Eliminating passwords altogether and using biometrics instead. Alternatively, employers could move to a single sign-on service so that employees only use one password.

Putting employees through effective security awareness training that includes password management.

Rich Target

The agency revealed on June 4, 2015, that it had discovered a cyberattack involving data for 4.2 million current and former federal employees. On June 12, OPM disclosed a second attack that targeted information for millions more Americans who applied for security clearances. Both hacks had been ongoing since 2014.

Richard Spires, chief executive officer of Resilient Network Systems Inc., and former chief information officer for the Internal Revenue Service and the Department of Homeland Security (DHS), said other federal agencies are also at risk for data breaches because of a lack of IT management and security best practices and a slow-moving procurement process that prevents speedy adoption of the latest technology.

“Beginning in the 1990s and up to the present, the federal government has not properly managed IT, having failed to effectively adapt with the changes in IT technology and the evolving cybersecurity threat,” he said.

“Federal agencies are a rich target and will continue to experience frequent attempted intrusions,” agreed Andy Ozment, assistant secretary for cybersecurity and communications at DHS. To make up for “20 years of underinvestment in public and private cybersecurity,” Ozment advised Congress to pass cyberthreat sharing legislation currently sitting in the Senate and codify the Einstein intrusion detection system for use across federal civilian agencies.

“The OPM hack is an excellent example of our government on the one hand hoovering up massive amounts of data and on the other hand not having sufficient protection in place to guard that data,” Sjouwerman said. “There is systemic failure on the side of the government, despite projects like Einstein, which are supposed to guard against intrusions.”

OPM is currently reviewing the architectural design of its IT systems to identify and mitigate vulnerabilities and assessing its data sharing and use policies.

The Obama administration also launched an online cybersecurity resource center to provide information about the incident and is crafting a proposal to offer free credit and identity theft monitoring services to all federal workers, whether or not they were affected by the breaches.

Credit and identity theft monitoring services “should be provided to all federal employees in the future—regardless of whether they have been affected by this incident—to ensure their personal information is always protected,” OPM said.

Roy Maurer is an online editor/manager for SHRM.

Follow him @SHRMRoy​​


Job Finder

Find an HR Job Near You
Search Jobs


Redefining Engagement in the New Work-Life World, August 20, 12 p.m. ET / 9 a.m. PT

Redefining Engagement in the New Work-Life World, August 20, 12 p.m. ET / 9 a.m. PT

Register Today


Find the Right Vendor for Your HR Needs

SHRM’s HR Vendor Directory contains over 10,000 companies

Search & Connect