After a yearlong investigation, the House Oversight Committee determined that a massive data breach at a government agency back in 2015 could have long-lasting and serious security implications for the United States — and it could have easily been prevented.
The U.S. Office of Personnel Management, or OPM, manages most of the federal government’s employees, ranging from neighborhood Postal service workers to the director of the FBI. In 2014 and 2015, two cyber attacks believed to have been perpetrated by the Chinese government compromised “highly personal, highly sensitive” personal data of 22 million government employees.
This is a massive problem because the OPM is in charge of background checks for most government employees. For employees whose jobs require highsecurity clearance, the OPM need to know if there’s anything in their history that could be used to blackmail them. It’s bad news if a foreign power has almost unlimited access to all this sensitive information in one easy place.
Joel Brenner, former senior counsel to the NSA, told the commission that the compromised data was “a gold mine for a foreign intelligence service.”
“This is not the end of American human intelligence, but it’s a significant blow,” he continued.
The commission’s report concludes that the breach “jeopardized our national security for more than a generation,” and it’s entirely the OPM’s fault.
The OPM’s cyber security was very lax, as it hadn’t even implemented multi-factor authentication for its employees. These weaknesses were brought up to the agency’s leadership, but the commission says they “failed to heed repeated recommendations.”
“Had OPM implemented basic, required security controls and more expeditiously developed cutting edge security tools when they first learned hackers were targeting sensitive data, they could have significantly delayed, potentially prevented, or significantly mitigated the theft,” the report reads.
The report goes on to lambast the agency for attempting to mislead congress and the general public to downplay the scope of the damage, the full extent of which the commission says “will never truly be known.”
Read the commission’s full report here.