- A failure to prioritize cybersecurity and adequately secure high value data helped lead to the OPM data breach, according to a House Oversight and Government Reform report.
Furthermore, the OPM Inspector General (IG) had warned the agency as early as 2005 that the information it maintained was potentially vulnerable to hackers.
There was also an overall lax security environment, according to The OPM Data Breach: How the Government Jeopardized Our National Security for More than a Generation. OPM had an “absence of an effective managerial structure to implement reliable IT security policies,” and also “failed to implement the Office of Management and Budget’s (OMB) longstanding requirement to use multi-factor authentication for employees and contractors who log on to the network.”
On June 4, OPM announced that it was the victim of a cyber attack, compromising millions of federal applicants’ personally identifiable information (“PII”), records, and sensitive information. Nearly one month later, OPM reported that a significantly greater number of individuals were affected by a ‘separate but related’ cybersecurity breach.
The personnel files of 4.2 million former and current government employees and security clearance background investigation information on 21.5 million individuals were exfiltrated by hackers.
OPM also misled Congress and the public by downplaying the fallout, the report’s authors explained.
“OPM failed to proactively announce the 2014 breach to the public, and claimed the two cyberattacks were not connected,” the report reads. “The 2014 and 2015 incidents, however, appear to be connected and possibly coordinated.”
Donna Seymour, who was the OPM CIO at the time, also made false and misleading statements under oath, the House report claimed. For example, Seymour reportedly testified on April 22, 2015 that “our antiquated technologies may have helped us a little bit.” Two months later, Seymour then testified that the stolen manuals that were a roadmap to OPM’s systems were “outdated security documents.”
OPM disagrees with many aspects of the House report, OPM Director Beth Cobert writes in a blog post. The report “does not fully reflect where [OPM] stands today,” Cobert said.
“Over the past year OPM has worked diligently with its partners across government and made significant progress to strengthen our cybersecurity posture, and reestablish confidence in this agency’s ability to protect data while delivering on our core missions,” she wrote.
For example, those who log in to OPM systems are required to use strong multi-factor authentication forms, Cobert explained. Furthermore, OPM has strengthened its legacy technology systems while developing a new, modern IT infrastructure.
“At OPM we recognize that cybersecurity is not just about technology – it’s about people,” Cobert wrote. “In addition to strengthening our technology, we have added seasoned cybersecurity and IT experts to our already talented team.”
In a 2015 interview with HealthITSecurity.com, Institute for Critical Infrastructure Technology (ICIT) Co-founder and Senior Fellow Parham Eftekhari highlighted the lack of multi-level security as a key issue with the OPM data breach. It's critical that companies protect both the perimeter and the core of its organization.
Eftekhari added that good governance policies, such as changing passwords, managing accounts, and disabling accounts when an individual has left the organization are also essential to preventing these types of incidents from happening.
"One of the things we identified in [our report to Congress on OPM’s security systems] before the breach was identified was that governance was really missing and is something that healthcare organizations can and should be implementing," Eftekhari said. "These are not new concepts. Governance is a basic idea that unfortunately a lot of organizations still don't get down."