House Oversight Committee Blasts OPM for Data Security Lapses in 2015 Breach

The House Committee on Oversight and Government Reform yesterday issued a scathing 241-page report detailing a string of security lapses that resulted in the theft of personal information about nearly 22 million U.S. government employees, their families and applicants for federal jobs. The attack on the U.S. Office of Personnel Management was the most notorious of 2015, thought to be the work of a foreign government. The information stolen included Social Security Numbers, residency and educational history, employment history, information about immediate family and other personal and business acquaintances, health, criminal and financial history and other details.  Some records also include findings from interviews conducted by background investigators and fingerprints.

The report said the OPM has been aware its data has been vulnerable for more than a decade and had it implemented basic security measures before the hack—many which, like two-factor authentication for remote logons, were already required for government systems—and responded faster after it was aware of the intrusion, it could have significantly mitigated the damage.

“We had literally tens of millions of Americans whose data was stolen by a nefarious overseas actor, but it was entirely preventable,” Rep. Jason Chaffetz (R-Utah), the committee chairman, said in an interview. “With some basic hygiene, some good tools, an awareness and some talent, they really could have prevented this.”

OPM Acting Director Beth Cobert said in a statement that the report “does not fully reflect where this agency stands today. [The breach] provided a catalyst for accelerated change within our organization.”