The massive data breach at the U.S. Office of Personnel Management (OPM) that exposed background investigations and fingerprint data on many millions of Americans was the result of a cascading series of cyber security mistakes by the agency’s senior leadership on down to the outdated technology used to secure the sensitive data, according to a lengthy report released today by a key government oversight panel.
The full report can be read here.
Committee on Oversight and Government Reform
U.S. House of Representatives
114th CongressThe OPM Data Breach: How the Government Jeopardized Our National Security for More than a Generation
Majority Staff Report
Hon. Jason Chaffetz, Chairman
Committee on Oversight and Government Reform
Hon. Mark Meadows, Chairman
Subcommittee on Government Operations
Hon. Will Hurd, Chairman
Subcommittee on Information Technology
Some excerpts from the report:
Had OPM implemented basic, required security controls and more expeditiously deployed cutting edge security tools when they first learned hackers were targeting such sensitive data, they could have significantly delayed, potentially prevented, or sigificantly mitigated the theft.
OPM Misled Congress and the Public to Diminish the Damage. As the agency assessed the damage cased by the hackers, OPM downplayed the fallout. OPM failed to proactively announce the 2014 breach to the public, and claimed the two cyberattacks were not connect. The 2014 and 2014 incidents, however, appear to be connected and possibly coordinated.
The Committee’s year-long investigation to understand how the attackers perpetrated their intrusion, movements, and ultimately the exfiltration of the data began with hearings, wherein then-OPM Chief Inforation Officer (CIO) Donna Seymour made a series of false and misleading statements under oath regarding the agency’s response to the incidents announce in 2015.
In short, the Congressional Oversight Committee has blamed the breach at the OPM on the security of the department from the top on down. They have criticized the security and the handling of the breach by the OPM. The report makes for some interesting, but scary reading.