Not all the files compromised by two hacks into Office of Personnel Management computers were on older computer systems, OPM Director Katherine Archuleta told a Senate hearing Tuesday.
Archuleta had repeatedly blamed OPM's inability to prevent two massive cyber attacks on so-called "legacy" systems she inherited before taking over as OPM director in 2013.
But in testimony before a Senate appropriations subcommittee Tuesday, the embattled director acknowledged a few of the hacked systems were "modern" ones.
Archuleta then quickly defended her agency's response to the breach.
"OPM’s new tools were responsible for allowing us to find this at all. [We have] an aggressive plan to modernize OPM by end of fiscal year 2015 which will completely replace the legacy systems," she said. "We discovered these intrusions because we upgraded our systems in the last 18 months."
But a "Flash Audit Alert," issued last week by OPM's independent inspector general office, revealed that the upgrades themselves may fail.
"In our opinion, the project management approach for this major infrastructure overhaul is entirely inadequate, and introduces a very high risk of project failure,” the alert says.
China-linked hackers are believed to be responsible for both cyber intrusions, a claim China dismisses as "irresponsible."
In the first attack on OPM, announced earlier this month, the hackers were reported to be in possession of sensitive personnel information on millions of federal workers. OPM said as many as 4 million current and former federal employees may have been affected by the December hacking.
The second attack allowed hackers to access highly sensitive background information submitted by intelligence and military personnel for security clearances for several agencies, including the Central Intelligence Agency and the National Security Agency, U.S. officials said.
The deeply personal data needed to obtain security clearances includes information about mental illnesses, drug and alcohol use, past arrests and bankruptcies. Applicants must also supply information on contacts and relatives, potentially exposing any foreign relatives of U.S. intelligence employees to coercion.