Millions of government-employee records apparently stolen by Chinese hackers were not encrypted, and software designed to detect computer breaches has not been installed to cover most of the files, officials said Tuesday.
The disclosure this month of two devastating hacks at the Office of Personnel Management has exposed vulnerable and outdated federal computer systems that are used to store details collected for government job applications, security clearances and other needs.
Intelligence officials are concerned that Chinese intelligence services or others could use the data to recruit spies inside the U.S. government and to design carefully tailored emails to infect computers of federal workers with access to secret files.
During a contentious congressional hearing about the massive digital theft of federal personnel files, lawmakers ripped into the officials in charge of securing the networks.
The agency’s inspector general had recommended last year that the databases be upgraded following a previous hack that was discovered in 2014. But lawmakers said that the agency didn’t move quickly enough to patch holes in the system.
“You failed. You failed utterly and totally,” Rep. Jason Chaffetz, R-Utah, chairman of the House Oversight and Government Reform Committee, told the officials.
Many electronic files that hold Social Security numbers, health-carrier information and other details about the personal lives of officials and government contractors are so antiquated that federal computer experts are unable to encrypt the files at all, said Donna Seymour, the top technology officer for the Office of Personnel Management.
“Some legacy systems may not be capable of being encrypted,” Seymour told lawmakers, who expressed bafflement and frustration at the lack of progress to improve the outmoded systems.
The security breaches follow a “long history of failing” at OPM to update its information technology infrastructure, Michael Esser, the assistant inspector general of audits for the agency, told lawmakers.