The head of the US Office of Personnel Management has fronted Congress to defend the agency's performance to lawmakers furious about a breach that compromised the personnel files of millions of federal workers.
Katherine Archuleta, director of the OPM, said problems exposed by the cyber attacks discovered in April and linked by US officials to China were "decades in the making".
Although she said her agency thwarts hackers 10 million times per month, members of the house committee on oversight and government affairs insisted the successful hacks showed data security could not have been a priority for the OPM.
Some suggested that top officials resign.
"You failed. You failed utterly and totally," Republican representative and committee chairman Jason Chaffetz said.
US officials have said they suspect China was behind the attack, but the administration has not yet publicly accused Beijing.
China denies any involvement in hacking US databases.
This week's congressional hearing was the first since US officials announced early this month that hackers had broken into OPM computers and the data of 4 million current and former federal employees had been compromised.
Since then, they revealed another security breach that put at risk the personal information and intimate details of many millions more Americans - and their relatives and friends - who had applied for security clearances.
New defences breached
Archuleta said the two breaches were discovered and contained because of new security measures implemented in the past year. The attacks occurred before the measures were fully complete.
"I want to emphasise that cyber security issues that the government is facing is a problem that has been decades in the making, due to a lack of investment in federal IT systems and a lack of efforts in both the public and private sectors to secure our internet infrastructure," she said.
Archuleta, who was appointed to head the agency two years ago, said 4.2 million employees were affected by the first OPM hack. Even more had been affected in the other attack, she said, but would not provide an estimate.
She also declined, despite repeated questions, to say how many years' records had been compromised.
The committee's top Democrat, Elijah Cummings, said he was concerned about how many people were affected, what the government was doing to help them and what foreign governments could do with their information.
But he said details of the investigation should not be made public.
"A lot of the information about the attack is classified and the last thing we want to do is give our enemies information."
Archuleta, OPM chief information officer Donna Seymour, Department of Homeland Security secretary Jeh Johnson and other administration officials held a classified briefing on the cyber attacks for lawmakers earlier this week.
Suggestions of Chinese involvement could further strain ties between Washington and Beijing, which are holding an annual "strategic and economic dialogue" in Washington next week involving senior government officials.
Lawmakers expressed frustration at the refusal of Archuleta and other administration officials at the hearing to answer many questions, frequently justifying their silence by saying they could not discuss classified information.
"I am gonna know less coming out of this hearing than I knew coming in," Democratic representative Stephen Lynch said.
"You're doing a great job stonewalling us, but hackers, not so much."