House Republicans say a culture of negligence at the Office of Personnel Management allowed the private information of millions of former and current government employees to be exposed by hackers, according to a majority report released this week by the House Committee on Oversight and Government Reform.
The report noted that “the longstanding failure of OPM’s leadership to implement basic cyber hygiene . . . despite years of warnings from the Inspector General, represents a failure of culture and leadership, not technology.”
“As a result, tens of millions of federal employees and their families paid the price. Indeed, the damage done to the Intelligence Community will never be truly known,” it continued. “Due to the data breach at OPM, adversaries are in possession of some of the most intimate and embarrassing details of the lives of individuals who our country trusts to protect our national security and its secrets.”
Based on the committee’s ongoing investigation since February, the document reveals once-hidden information along with a detailed record of the incident. Although OPM announced the leak in June, the report claims that its problems began much earlier, when inspectors informed OPM about potential security flaws in 2005. From there, it mentions the escalating warnings over the years as the agency faced multiple attacks since 2012.
Then came March 2014.
That fateful month, the Department of Homeland Security discovered the first OPM hack as it saw reams of information leaving its system in the dead of night. DHS subsequently coordinated with OPM, the FBI, and other groups to monitor the situation and develop a strategy to expel the hacker. And in May 2014, they believed they had a plan.
The experts, however, were wrong. Unbeknownst to them, another infiltrator had used a contractor’s credentials to enter OPM’s network and insert malware. And by the time another contractor discovered the problem in April 2015, it was too late. At that point, 4.2 million former and current government employees were affected, and 21.5 million others had their security clearance background information stolen.
Ultimately placing the blame on OPM, the report concluded that if it had installed preventative technology and used basic cybersecurity procedures—like multiple layers of authentication—when the agency was warned the first time, “they could have significantly delayed, potentially prevented, or significantly mitigated the theft.”
Democrats on the committee say those findings are incomplete.
“The most significant deficiency uncovered during the Committee’s investigation was…that cyber requirements for government contractors are inadequate,” they said in a Tuesday response. “Second, the Republican staff report unfairly criticizes former Chief Information Officer (CIO) Donna Seymour…[and] ignores specific evidence refuting [Rep. Jason Chaffetz’s calls for her resignation].”
Chaffetz, the committee chairman, nevertheless stood his ground.
“There are people that need to be held accountable because the first breach was unacceptable. But to not take it seriously, to mislead Congress, to delay the actions that would have prevented further loss really put people in harm’s way because it went from roughly affecting 4 million to more than 20 million,” he told the Associated Press in a Wednesday interview.
“This was a very extensive investigation, and despite all of the problems, I do have hope that Beth Cobert, who is the new Office of Personnel Management director [will make] some major, major changes….But unfortunately, you’ve got tens of millions of people whose information is already gone, and there’s no putting that genie back in the bottle.”
