U.S. personnel management hack preventable, congressional probe finds

By Dustin Volz

WASHINGTON (Reuters) – The U.S. Office of Personnel Management (OPM) did not follow rudimentary cyber security recommendations that could have mitigated or even prevented major attacks that compromised sensitive data belonging to more than 22 million people, a congressional investigation being released on Wednesday has found.

Two breaches at the federal agency detected in 2014 and 2015 were made worse by lax security culture and ineffective leadership, which failed to harness available tools that could have stopped or limited the intrusions, according to the report from the Republicans on the U.S. House of Representatives’ Committee on Oversight and Government Reform, a copy of which was seen by Reuters.

“The OPM data breach and the resulting generational national security consequences cannot happen again,” said Republican Representative Jason Chaffetz, the committee’s chairman, in the report.

The investigation faulted OPM – which manages employment matters for the federal government, including background checks for most agencies – for not moving more quickly to address early signs of an attack, allowing hackers to later siphon off reams of personnel data.

It also said OPM ignored repeated inspector general reports dating back to 2005 that warned of cyber security shortcomings.

Representative Elijah Cummings, the top Democrat on the oversight panel, rejected the report’s findings in a memo to other Democrats. He claimed the report had factual deficiencies and did not account for mistakes made by federal contractors.

U.S. intelligence officials have linked the Chinese government to both OPM breaches, an accusation Beijing has denied.

Though the Republican report credits OPM with improving its cyber security over the past year, it also includes suggestions for the federal government to address vulnerabilities.

They include longer retention of qualified chief information officers, reduction of the use of social security numbers, and a “zero trust model” of information security that enforces strict controls on what data users inside a network can access.

In a blog post set to be published on Wednesday, Beth Cobert, acting director of OPM, said she disagreed with aspects of the congressional investigation, which “does not fully reflect where this agency stands today.”

OPM has achieved “significant progress” over the past year to improve cyber security, Cobert said, including requirements for multi-factor authentication, modernized information technology infrastructure, a new senior cyber security adviser, and the formation of a new organization responsible for background checks on employees and contractors, she said in the blog post, a copy of which was seen by Reuters before publication.

That new entity, the National Background Investigations Bureau, is intended to replace OPM’s Federal Investigative Services. It will have its information systems handled by the Pentagon and is expected to be operational by Oct. 1.

(Reporting by Dustin Volz; Editing by Bill Rigby)