One of the largest and most significant data breaches in US history could have been prevented by basic security controls, according to a damning congressional report.
The report by the Republicans on the US House of Representatives’ Committee on Oversight and Government Reform found that the Office of Personnel Management (OPM) data breach “was preventable” and that the agency had failed to respond to growing threats of sophisticated cyber attacks, or prioritize resources for cybersecurity.
In what was likely to be a coordinated campaign — widely blamed on hackers backed by China — to collect information on government employees, attackers stole personnel files of 4.2 million former and current government employees and security clearance background investigative information on 21.5 million people, plus the fingerprints of 5.6 million people from the US OPM during the attacks in 2014 and 2015.
This data included intimate and potentially embarrassing details, including information on mental health conditions, use of illegal drugs and financial problems due to gambling.
The report, The OPM Data Breach: How the Government Jeopardized Our National Security for More than a Generation, warned: “the intelligence and counterintelligence value of the stolen background investigation information for a foreign nation cannot be overstated, nor will it ever fully be known”.
It added: “Due to the data breach at OPM, adversaries are in possession of some of the most intimate and embarrassing details of the lives of individuals who our country trusts to protect our national security and its secrets.”
The report said that despite the high value information held by OPM, the agency “failed to prioritize cybersecurity and adequately secure high value data.” It said employees and contractors were not required to use multi-factor authentication to log onto the network.
“The lax state of the OPM’s information security left the agency’s information systems exposed for any experienced hacker to infiltrate and compromise,” the report said.
In March 2014, the US Department of Homeland Security’s Computer Emergency Response Team warned OPM that it’s network had been hacked, and OPM decided to monitor the attacker – dubbed Hacker X1 — to understand the threat. But in May another hacker — Hacker X2 – also got into the network. While OPM was able to kick out Hacker X1 in late May, in July the second undetected attacker started to steal data, starting with security clearance background investigation files, stealing the fingerprint data in early 2015.
The two attacks, the report said, appear to be connected and possibly coordinated. “The two attackers shared the same target, conducted their attacks in a similarly sophisticated manner, and struck with similar timing,” it said.
“Had OPM implemented basic, required security controls and more expeditiously deployed cutting edge security tools when they first learned hackers were targeting such sensitive data, they could have significantly delayed, potentially prevented, or significantly mitigated the theft,” the report said.
The OPM said it disagreed with “many aspects of the report” and said over the past year it has made significant progress to strengthen its cybersecurity posture, and “reestablish confidence” in the agency’s ability to protect data. It said people accessing its systems now have to use strong multi-factor identification. “This level of security provides a powerful barrier to our networks from individuals who should not have access,” it said.
It has also hired a senior cybersecurity advisor who reports to the director of OPM, plus a new CIO and a new Chief Information Security Officer “whose sole responsibility is to take the steps necessary to secure and control access to sensitive information.”