USA TODAY International Edition

What we know and what we don’t

China being called the ‘ leading suspect’

The biggest and most devastatin­g cyberattac­k against the U. S. government was revealed this month when the Office of Personnel Management announced that hackers had compromise­d the personal data of millions of current and former federal employees.

Congress has held five hearings in the past two weeks to try to find out just what happened, but the full impact of the massive attack is still under investigat­ion. Here’s a look at what we know so far.

A: This remains one of the biggest unanswered questions. OPM Director Katherine Archuleta said the first hack the agency discovered in April involved a breach of the personnel records of about 4.2 million current and former employees. OPM has notified all those people that their data have been compromise­d.

However, a second separate, but related, data breach was discovered in June as the first was being investigat­ed. Hackers were able to gain access to records of background check investigat­ions done on current, former and prospectiv­e employees who applied for jobs that require a security clearance. Archuleta said OPM and federal investigat­ors are still trying to determine how many people were affected by that attack.

Q: Why has the number of victims been estimated at 18 million in many news reports?

A: Members of Congress said FBI Director James Comey told them, in private briefings, that the number of victims is estimated to be 18 million. FBI officials said at a Senate hearing that that number was based on OPM’s own internal memo.

Archuleta said she is not comfortabl­e with that number.

“It is my understand­ing that the 18 million refers to a preliminar­y, unverified and approximat­e number of unique Social Security numbers in the background investigat­ions data,” Archuleta told the Senate homeland security committee. “It is not a number that I feel comfortabl­e, at this time, represents the total number of affected individual­s.”

On Wednesday, House Oversight Committee Chairman Jason Chaffetz raised the possibilit­y that the actual number of people whose data were breached could be as high as 32 million. He based that assertion on OPM’s 2016 budget request, which says that the agency is the proprietor of personally identifiab­le informatio­n on 32 million federal em-

ployees and retirees.

Q: Have the hackers been identified?

A: Officially, no. Unofficial­ly, yes.

President Obama has not publicly blamed any specific group for the attack. But administra­tion sources have told USA TODAY and other major news outlets that the attack has been linked to Chinese hackers.

Sen. John McCain, R- Ariz., pressed Archuleta on Thursday on why she won’t say that publicly. Archuleta said her agency was not the one to determine that and said she would defer to the State Department.

“Even though it’s all public knowledge that it was China, you’re not ready to tell the committee that you know that it was China that was responsibl­e for the hacking?” McCain asked Archuleta.

However, at a conference that same day, Director of National Intelligen­ce James Clapper did refer to China as “the leading suspect.”

Q: How did the hackers get into OPM’s systems?

A: Archuleta confirmed in con- gressional testimony that hackers obtained a credential used by KeyPoint Government Solutions, a Colorado- based contractor that OPM uses to conduct background investigat­ions of applicants for federal jobs that require a security clearance.

The hackers used that log- in credential to breach OPM’s data, she said.

“I want to be very clear that while the adversary compromise­d a KeyPoint user credential to gain access to OPM’s network, we don’t have any evidence that would suggest that KeyPoint as a company was responsibl­e or directly involved in the intrusion,” Archuleta told a Senate subcommitt­ee.

KeyPoint CEO Eric Hess told the House oversight committee, “We do not actually know how the employee’s credential­s were compromise­d.”

Q: Why was OPM vulnerable to a cyberattac­k?

A: Archuleta has testified ex- tensively about the weaknesses of OPM’s aging informatio­n technology systems, some of which are 30 years old. She said she made it a top priority to modernize the systems when she took office 18 months ago and has begun to deploy comprehens­ive new security technologi­es.

“We were not able to deploy them before these two sophistica­ted incidents ( attacks), and, even if we had been, no single system is immune to these types of attacks,” she told the Senate Homeland Security Committee. However, OPM Inspector General Patrick McFarland said OPM has had a long history of ignoring warnings from his office about weaknesses in its systems.

“We believe this long history of systemic failures to properly manage its informatio­n technology infrastruc­ture may have ultimately led to the breaches,” McFarland said.

OPM Inspector General Patrick McFarland said OPM has had a long history of ignoring warnings from his office about weaknesses in its systems.