The Office of Personnel Management didn't exactly choose the most honorable way out of the jam it was in Thursday.
It had admitted in June that the personnel data of 4.2 million current and former officials was stolen. Then, it sat for weeks on the bigger news that many millions more were hit in a second breach.
But on Thursday, when it was finally time to fess up, OPM buried the lead.
Its press release started with the headline: "OPM announces steps to protect federal workers and others from cyber threats." After weeks of grappling with news of the biggest theft of data in the government's history, that headline was an insulting non sequitur, considering what was already known and what OPM was about to reveal.
Instead of getting to the point, OPM poured on as much soothing irrelevancy as it could muster. Paragraph 1, OPM is wonderfully transparent. Paragraph 2, OPM has worked really hard to improve something called its "cybersecurity posture."
By paragraph 3, OPM started to gingerly approach the bad news. It admitted that data from background checks was also stolen, things like Social Security numbers and financial history.
RELATED: Government hacks hit 22.1 million
Before getting to the numbers, OPM had a little more good news. In paragraph 4, it noted that fortunately, only some mental health information might have been stolen.
OPM wasn't done stalling. Paragraph 5: Remember those 4.2 million people whose data was stolen? Well, that number hasn't increased.
After nearly 450 words (almost twice as many as you've read so far in this story), OPM finally stumbled into what everyone wanted to hear:
"The team has now concluded with high confidence that sensitive information, including the Social Security Numbers (SSNs) of 21.5 million individuals, was stolen from the background investigation databases," it said.
That's about five times more than the original number. In the news business, that's what we call "news."
The rest of the release talked about all the help OPM will give victims. Fraud monitoring, credit monitoring, identity monitoring for minor children. Then, some knee-jerk stuff about how OPM will work to "leverage outside expertise," "modernize its systems" and "ensure internal accountability."
How will those things ever come true? Among other things, OPM is hiring a cybersecurity advisor, and will undergo the obligatory "comprehensive review."
After more than 1,500 words, the release ended without any mention of three key pieces of information.
1) How much will it all cost? OPM was silent on that. So far, OPM has spent about $20 million notifying about 3 million people that their personnel data was stolen, and giving them credit monitoring services. If the same steps are needed for another 20 million people, it could cost more than $100 million.
All the "modernize its systems" talk doesn't sound cheap, either. OPM is expected to ask for almost $40 million soon, as a start. Its message boils down to, "We failed miserably; give us more money."
2) Will anyone get fired over this? No mention. But OPM Director Kathleen Archuleta did address that in a call with reporters.
"I am committed to the work that I am doing at OPM," she said. As of this week, then, it sounds like Archuleta is very attached to her job of protecting people's data. But that brings us to the last unanswered question:
3) After two huge hacks that involved 25.7 million incidents, and hit a total of 22.1 million people, is there any confidential data remaining at OPM that still needs protecting?