Oversight Committee rips agency for data breach

Oversight Committee rips agency for data breach
© Haiyun Jiang

A new report from the House Oversight Committee slams the massive data breach at the Office of Personnel Management (OPM) as something that “could have been prevented.”

The report, released Wednesday, takes aim at standard security practices that could have been taken after the agency caught the first of two hackers inside the OPM system. The second hacker stole security clearance background information on more than 20 million people, personnel files on more than 4 million people and fingerprints from nearly 6 million people. 

ADVERTISEMENT

“The agency failed to prioritize cybersecurity and adequately secure high-value data,” the report says.

The security problems at OPM, the committee says, predated the data breach. OPM failed to meet the Office of Management and Budget’s cybersecurity requirements and was cited by the agency as among those with the “weakest authentication profile.” 

If two-factor identification had been required for remote access to the OPM systems — as OMB required — hackers might not have been able to use stolen login credentials. Two-factor identification requires an additional step beside a password to log in, such as a code sent by text message.  

Two hackers breached the OPM systems. The first, which the report calls Hacker X1, was unable to steal the personnel records. X1 was caught on March 20, 2014 and expunged from the OPM system on May 7. OPM called the effort to expel the hacker the “Big Bang.”

But the security efforts were not enough to rid the system of a second, undetected hacker the report calls X2.

Oversight notes testimony that, had OPM immediately enacted two-factor security,  X2 would have been stopped or slowed. But beyond that, the report notes that monitoring software purchased from firm Cylance, routinely caught attackers but, despite being a tool available to OPM, was not installed until after X2 breached the network. 

OPM’s IT director, Jeff Wagner, recommended installing the Cylance software after X1 was caught.

In conjunction with the report, Oversight sent a letter to the Government Accountability Office alleging that OPM continued to use monitoring software which caught X2 during a product demonstration without paying for it. 

“In brief, we believe OPM violated the [Anti-Deficiency Act] when the agency retained and deployed CyTech’s software following a product demonstration, and never paid,” reads the letter.

Oversight Committee Chairman Jason Chaffitz (R-Utah) opens the report with a letter directed to federal Chief Information Officers. 

“The data breach at the U.S. Office of Personnel Management is a defining moment, and it is up to you, — the community of federal chief information officers—to determine how the country will respond," he writes.