OPM has dug itself into a pretty deep hole, but we’re learning that’s it’s more gaping than anyone could’ve imagined or that the agency wants to admit.

First, according to Politico the two-part breach of its systems could have affected as many as 32 million current, former, and prospective employees including potential military enlistees. This is according to Rep. Jason Chaffetz (R-) during another congressional hearing this week. He pulled the 32-million figure directly from OPM’s own 2016 budget proposal and that banking information for at least two million people could have been compromised as well.

In response, OPM Director Katherine Archuleta refused to acknowledge the figure or comment –saying she didn’t want to “give a number that is not completely accurate.” It’s been a few weeks now, when do they think they will ever have even a reasonable estimate of how many people have had their data stolen?

Next, hackers gained access to records of millions of American employees dating back 20 years and it wasn’t just limited to workers, but spouses, family members, references and others listed by applicants when applying for federal jobs.

The Wall Street Journal reports that this revelation came from Federal Bureau of Investigation Director James Comey testifying before the Senate Intelligence Committee. Even his own information was stolen. And as we know, the Administration is saying that the Chinese are behind the two hacks on OPMs system.

About this new information OPM is still tightlipped.

Third, the OPM was warned according to The Hill that its online systems were vulnerable and could potentially be breached as far back as 2012 and did nothing about it. This comes from OPM’s inspector general who said OPM officials repeatedly failed to heed its warnings, even refusing to shut down several of its weakest computers systems – among other recommendations.

OPM chief Archuleta defiantly maintains that she’s always taken into account inspector general recommendations and the reason the agency kept problem computer systems running was to avoid gaps in delivering employee paychecks and benefits.

Are we really to believe that over the past three years, OPM could not work to shift its payment systems away from the vulnerable computer systems? Did they not have a back-up plan or a transitional plan in all of this time? This an issue of mismanagement.

Finally, let’s add a couple of lawsuits to the mix. As the Washington Post reports, in June, the Americans Federation of Government Employees filed suit against a contractor that does background investigations for security clearances, which may have triggered the first OPM breach. Now the National Treasury Employees Union (NTEU), which represent 85,000 federal employees, is suing OPM claiming that the agency violated employees’ right to privacy by failing to take all recommended steps (as noted above) to protect their computer networks. NTEU is suing for the government to pay for credit-monitoring and identity-theft protection of employees for life and for the court to force OPM to get its act together to keep this from happening again.

You can learn from wisdom and avoid catastrophe, hardship, and pain or you can your head in the sand and learn nothing. It looks like the OPM chose the latter course and ignored its own internal warnings that the system was at risk. In private enterprise, somebody would get fired.

When will we expect someone at OPM to take responsibility and action? Sadly, should we be shocked that a federal agency is failing to protect the privacy and personal information of those under its care? Millennials have little interest in public service these days. When we learn that even applying for a job with government sets us up for having our identities hacked inspires even less confidence in government – and that’s not such a bad thing.