The U.S. Office of Personnel Management (OPM) said on Monday it would temporarily suspend a program it uses to complete background investigations, following a data breach that compromised the personal information of millions of Americans.
The program, called Electronic Questionnaires for Investigations Processing (e-QIP), was not involved in either of two attacks by suspected Chinese hackers on personnel data and applications for security clearances, OPM said. The breaches were announced earlier this month.
After a security review ordered by Director Katherine Archuleta found a vulnerability in the system, OPM said it would take e-QIP offline for 4-6 weeks until security can be enhanced.
In a statement, the agency said there was no evidence the vulnerability had been exploited.
But the move amounts to an implicit admission the electronic submission system is vulnerable, and some agencies are considering switching to a more old-school process of submitting data on paper, according to sources familiar with the issue who were not authorized to speak publicly about it.
The breach has fueled doubts about the centralized electronic system set up to process security clearances after the Sept. 11, 2001, hijacking attacks, and could prompt some intelligence agencies and others to switch back to their own applications, the sources said.
The electronic system is designed to collect massive amounts of personal data, ranging from financial histories to family information, on those undergoing federal background checks.
Brian Kaveney, who heads the security clearance practice at the law firm Armstrong Teasdale, said the move would compound a logjam caused by mandatory budget cuts in 2013.
"This security measure will doubtlessly increase the processing time of clearance applications and potentially create a backlog," Kaveney said in an interview.
One Senate aide, who was not authorized to speak publicly, said the move could pressure the U.S. government to continue reducing the number of overall clearances issued.
The announcement follows widespread doubts among lawmakers about Archuleta's ability to lead OPM following the announcement earlier this month of the sweeping breaches.
Archuleta has so far refused to answer where the attacks originated or how many people were affected, leading many in Congress to call for her resignation.
The massive data breach is now believed to have affected well over 10 million separate users, the sources said. The Federal Bureau of Investigation has said up to 18 million could have been affected.