A blistering new report from Republicans on the House Committee on Oversight and Government Reform says that the massive breaches at the Office of Personnel Management revealed last summer were preventable and that the agency misled the public about the severity of the problem.
The two breaches exposed the personal information of more than 20 million former and current federal employees — including, in some cases, sensitive background check information and fingerprint data — in one of the largest hacks of government systems to date.
The 231-page report concluded that the breaches, suspected by many to be the work of state-sponsored Chinese hackers, were "likely connected and possibly coordinated" — with data stolen during the first attack appearing to serve as a sort of "road map" to OPM systems for the second attack.
"The lax state of OPM's information security left the agency's information systems exposed for any experienced hacker to infiltrate and compromise," according to the report, citing numerous inspector general reports that raised the alarm about the agency's digital security before the hacks. Defense tools and basic security measures, such as requiring multi-factor authentication for remote workers, which were available when the attacks occurred, could have prevented or at least limited the damage the breaches caused, the report said.
A timeline in the report says that a third party first notified OPM of a breach in March 2014, although evidence from analyzing malware found on the agency's system suggests the attackers' infiltration dated to 2012. The government was able to expel the first attackers in May 2014 but did not notice a backdoor that the second group of hackers had already established, by using stolen credentials for a background investigation contractor, according to the report.
The report also accuses OPM of misleading the public and Congress about the breaches to play down the fallout — criticizing the agency for its claims that the two cyberattacks were not connected and not proactively announcing the first breach when it was uncovered in 2014. It specifically calls out then-OPM chief information officer Donna Seymour and then-agency chief Karen Archuleta, both of whom resigned while facing heat over the breaches.
Although largely critical, the report does praise some parts of the government's investigation into the incidents — as well as security upgrades made at OPM under acting director Beth Cobert. In a blog post responding to the report, Cobert said that she disagrees "with many aspects of the report" but welcomed recognition of the progress the agency has made. Cobert outlined several steps the agency has taken to improve its cyberdefense, including expanding its use of multi-factor authentication and deploying a tool developed by the Department of Homeland Security that continually watches networks for suspicious activity.
The new report was the culmination of a year-long investigation by the Oversight Committee that was started when Chairman Jason Chaffetz, Republican congressman of Utah, led a series of heated hearings about the breaches after they became public. Democrats on the committee released a memo Tuesday, preempting the report, that argues the Republican report "fails to adequately address" security requirements for federal contractors. “The most significant deficiency uncovered during the committee’s investigation was the finding that federal cybersecurity is intertwined with government contractors, and that cyber requirements for government contractors are inadequate,” the memo says.