In a statement OPM Director Katherine Archuleta claimed that the E-QIP fix was "not the direct result of malicious activity on this network, and there is no evidence that the vulnerability in question has been exploited."
The undescribed E-QIP security hole was found during a comprehensive review of the security of OPM's IT systems. Because of the problem's severity, the OPM has temporarily taken the E-QIP system offline for security enhancements.
The OPM expects E-QIP could be offline for four to six weeks while the program is secured. The agency stated that it "recognizes and regrets the impact on both users and agencies and is committed to resuming this service as soon as it is safe to do so. In the interim, OPM remains committed to working with its interagency partners on alternative approaches to address agencies' requirements."
The OPM has also not addressed how it will provide credit and identity protection plan for exposed employees. An earlier attempt to provide protection failed almost immediately since its very design laid it wide open to phishing attacks.
Despite this gloomy recent history, Archuleta insisted in a statement that "The security of OPM's networks remains my top priority as we continue the work outlined in my IT Strategic Plan, including the continuing implementation of modern security controls. This proactive, temporary suspension of the E-QIP system will ensure our network is as secure as possible for the sensitive data with which OPM is entrusted."
One can only hope that this time the OPM can deliver on its security promises.