The report from the House Oversight Committee took aim at standard security practices that could have been taken after the agency caught the first of two hackers inside the OPM system. The second hacker stole security clearance background information on more than 20 million people, personnel files on more than 4 million people and fingerprints from nearly 6 million people. “The agency failed to prioritize cybersecurity and adequately secure high-value data,” the report said.
The security problems at OPM, the committee said, predated the data breach. OPM failed to meet the Office of Management and Budget’s cybersecurity requirements and was cited by the agency as among those with the “weakest authentication profile.”
If two-factor identification had been required for remote access to the OPM systems—as OMB required—hackers might not have been able to use stolen login credentials. Two-factor identification requires an additional step beside a password to log in, such as a code sent by text message
Two hackers breached the OPM systems. The first, which the report called Hacker X1, was unable to steal the personnel records. X1 was caught on March 20, 2014 and expunged from the OPM system on May 7. OPM called the effort to expel the hacker the “Big Bang.” But the security efforts were not enough to rid the system of a second, undetected hacker the report calls X2.
In conjunction with the report, the Oversight committee sent a letter to the Government Accountability Office alleging that OPM continued to use monitoring software which caught X2 during a product demonstration without paying for it. “In brief, we believe OPM violated the [Anti-Deficiency Act] when the agency retained and deployed CyTech’s software following a product demonstration, and never paid," the letter said
In a blog post, Beth Cobert, acting director of OPM, said she disagreed with aspects of the congressional investigation, which “does not fully reflect where this agency stands today.” OPM has achieved “significant progress” over the past year to improve cyber security, Cobert said, including requirements for multi-factor authentication, modernized information technology infrastructure, a new senior cyber security adviser, and the formation of a new organization responsible for background checks on employees and contractors, she said in the blog post.