House Oversight Committee Blames Former OPM Leadership For Largest U.S. Government Data Breach In History

A new report released by the House Oversight and Government Reform Committee, chaired by Rep. Jason Chaffetz, blamed former OPM Chief Information Officer Donna Seymour and Director Katherine Archuleta for what became the largest U.S. government data breach in history.

Largest U.S. Government Data Breach

The OPM hack exposed sensitive files of 21.5 million people, of which 4.2 million were current and former federal employees. The rest were their closest relatives. The hack also exposed 5.6 million fingerprints, which, if compromised, should probably never be used again for biometric authentication.

To remind everyone just how significant the hack was and how much it affected the U.S. government, the report contained a few quotes from high-ranking current and former intelligence and law enforcement officials:

“This is crown jewels material … a gold mine for a foreign intelligence service. This is not the end of American human intelligence, but a significant blow,” said former NSA Senior Counsel.“We cannot undo this damage. What is done is done and it will take decades to fix,” said John Schindler, former NSA officer.“[The SF-86] gives you any kind of information that might be a threat to [the employee’s] security clearance,” said Jeff Neal, former DHS official. “My SF-86 lists every place I’ve ever lived since I was 18, every foreign travel I’ve ever taken, all of my family, their addresses. So it’s not just my identity that’s affected. I’ve got siblings. I’ve got five kids. All of that is there,” said James Comey, Director of the FBI.“[OPM data] remains a treasure trove of information that is available to the Chinese, until the people represented by the information age off. There’s no fixing it,” said Michael Hayden, former Director of the CIA.

Although fingerprints and social security numbers were also stolen, the most sensitive information was contained in the Standard Form 86 (SF-86) files. These files are required for people who need security clearance so they can access classified information. The SF-86 files contain information that could be used as stepping stones for future data breaches (such as the stolen fingerprints, unless they’ve all been revoked and denied in all of the government’s new systems).

The SF-86 files also contained personal information such as whether the employees consumed illegal drugs, abused alcohol, gambled, or whether they consulted medical professionals for certain mental health conditions. This type of information could potentially be used as as blackmail material.

In a way, asking for this sort of information seems counterproductive. The U.S. government wants future employees to tell about anything that might be used as blackmail against them. However, it then stores all of that blackmail material for millions of employees in one single place. Regardless of how good the security of that system is, it becomes too attractive a target, and it’s only a matter of time before it gets hacked.

A Decade Of Bad Security

According to the House report, the OPM Inspector General (IG), who performed security audits for OPM’s systems, has warned since at least 2005 that the data was vulnerable to hackers. Nine years later, in 2014, the IG upgraded the OPM’s security rating from “material weakness” to “significant deficiency.” In other words, the OPM’s systems were still highly vulnerable. That was also the same year the OPM hack happened.

A year after that, in 2015, the IG reported that “OPM continues to struggle to meet many FISMA requirements” and with “overall lack of compliance that seems to permeate the agency’s IT security program.”

After the OPM made public the breach a year after it happened, some security firms opined that the damage could’ve been greatly diminished if the employees had used two-factor authentication. A 2015 Office of Management and Budget (OMB) report also identified OPM as one of the few agencies with “weakest authentication profile.”

The OPM also allowed some systems to operate without a security assessment and valid Authority to Operate (ATO). In 2014, the IG called the increasing number of OPM IT systems without an ATO “alarming.”

The OPM’s data breach was perpetrated by two attackers, which the House committee believes likely coordinated with one another. By the time the OPM and the DHS moved to eliminate “Hacker X1” (the name given by the committee to the first hacker) from its systems, “Hacker X2” managed to put a backdoor into the system. The backdoor was not detected due to OPM’s weak security systems and IT policies.

The Breach Could’ve Been Prevented

According to the report, OPM’s lack of good IT security hygiene, a reluctance in prioritizing security for critical data, and its leadership’s decision to first monitor what Hacker X1 was trying to do inside its systems for months before sounding the alarm, have all been major factors in exposing the data of 21.5 million people. If the OPM had acted more quickly and began securing its networks sooner, the attackers may have not been able to steal the most sensitive information.

It wasn’t until April 2015 that the OPM began using two-factor authentication and preventative security measures. High-value targets such as the OPM can’t rely on security solutions such as anti-viruses and firewalls alone. Firewalls can be bypassed by sophisticated attackers, and no sophisticated attacker would use software vulnerabilities and malware that have already analyzed by anti-virus companies. They are far more likely to use zero-day exploits to access such systems, so security solutions such that are effective against such exploits must be used.

The House committee claimed that the OPM had the tools to prevent the data breach, but the agency failed to leverage them because of the agency’s poor security culture and policies. It now hopes that under the new leadership of Acting Director Beth Cobert, decades of mismanagement can be remedied.

Lucian Armasu
Lucian Armasu is a Contributing Writer for Tom's Hardware US. He covers software news and the issues surrounding privacy and security.
  • g-thor
    <rant> Attention politicians and bureaucrats; this i what happens when security is weak or compromised. If the law requires companies to have weaknesses built in, the bad guys know the weaknesses exist and will search for, find and exploit them, as they do with Zero Day exploits, except it will probably be easier. Then everyone will be compromised. </rant>
    Reply
  • bit_user
    It must be said that when you keep cutting budgets and trash-talking bureaucrats, negative consequences are inevitable. Republicans seem to love the private sector, but you don't see CEO's publicly humiliating their own people, cutting their budgets, waiting for them to screw up, rinse and repeat. Low pay and poor working conditions drives competent people away from government jobs. This bullying needs to stop.

    We need good people in government. We need to treat them with respect, give them the resources they need for the job, and we need to make them transparent and accountable for the results. That is how you actually prevent these sorts of problems. But Republicans don't actually want a government that works, because then they'd have less to complain about.
    Reply
  • ozonefree
    BIT_USER it's apparent that you've never worked for a large company. And govt. jobs pay much more than found in the equivalent private sector. If we just eliminated all the waste (i.e. giving money to people/companies that don't need propping up) we'd have plenty left over to get security systems for our govt. Uh, BTW, surely you know how to use Google??
    Reply
  • bit_user
    18564455 said:
    BIT_USER it's apparent that you've never worked for a large company. And govt. jobs pay much more than found in the equivalent private sector. If we just eliminated all the waste (i.e. giving money to people/companies that don't need propping up) we'd have plenty left over to get security systems for our govt. Uh, BTW, surely you know how to use Google??
    Wrong, wrong, wrong, and of course I can use Google. But if you get all your information about government from sites which agree with your point of view, then don't expect it to align well with reality. I have seen, listened to, and read plenty of right-wing media. I know they way they cherry-pick examples and distort things. If you actually look at what someone in the FBI makes and their working conditions, for example, you won't find much comparable, in the private sector.

    Sure, when something bad happens at big companies, certain people do get hung out to dry. That's not what I'm talking about. My CEO example was about the constant drumbeat of anti-government propaganda, from the right-wing. You just don't see CEOs complaining about their employees day after day. If they did that, they'd get fired.

    I'm not a government employee, but I understand all the ways in which we depend on government. Again, I just don't see how the people who do the most complaining about government are actually helping matters. I honestly don't think they want to fix government, because complaining about it has worked so well for them, as a campaign platform.
    Reply
  • falchard
    There really wasn't a problem of funding for these Bureaucrats. Bush grew the level of Bureaucrats and Regulators by 17.1%. Obama an additional 10.1%. They haven't cut them or slashed their budgets. It's purely a mismanagement of systems stemming from many sources in the public sector. Democrats and Republicans in Congress, to the employees enforcing the security. Obviously in the private sector security is taken more seriously. You have to be damn good to work on the systems in private banks for instance. So just be thankful that these guys are not in charge of safe-guarding your bank account.
    Reply
  • Nicholas Steel
    Since these comments seem to be for 2 different articles on the website: The PS4 Pro article does not indicate if the PS4 Pro is backwards compatible with all pre-existing PS4 games. It only indicates that all upcoming games (and "some" that will be patched) will work on the PS4 & PS4 Pro.
    Reply
  • Kimonajane
    Both women, want a job done right use men. Wanna bet nothing happens to them, actually they will probably get a promotion under Obama's fascist regime.
    Reply
  • warezme
    The culture of layered bureaucracy is the issue. I have spoken with IT pros, specifically the military, who know what they are doing and present plans and strategies to their "SUPERIORS" only to get them gutted or dissected into worthlessness because those same "SUPERIORS" don't know crap about security.
    Reply
  • shrapnel_indie
    18564268 said:
    It must be said that when you keep cutting budgets and trash-talking bureaucrats, negative consequences are inevitable. Republicans seem to love the private sector, but you don't see CEO's publicly humiliating their own people, cutting their budgets, waiting for them to screw up, rinse and repeat. Low pay and poor working conditions drives competent people away from government jobs. This bullying needs to stop.

    We need good people in government. We need to treat them with respect, give them the resources they need for the job, and we need to make them transparent and accountable for the results. That is how you actually prevent these sorts of problems. But Republicans don't actually want a government that works, because then they'd have less to complain about.

    Democrats are no better.
    Senator Diane Feinstein, who has been a champion of surveillance laws such as the 2008 FISA Amendments Act and its 2012 renewal, as well as the “Cyber-Patriot Act” legislation passed under the guise of “cybersecurity legislation” last year, also tried to pass an anti-encryption bill in the Senate.
    http://www.tomshardware.com/news/lawmakers-encryption-regulation-house-report,32180.html

    Feinstein is not only very anti-2nd Amendment, but here she doesn't want your data protected and secured behind encryption. She is also a lifetime Democrat.

    Democrats also like the people dependent upon them for everything in their lives. While Europe is asking for citizens to become less dependent, The U.S. is doing the opposite.

    Reply
  • DeadlyDays
    from what I've experienced the issue is upper level refused to follow security practices and IT isn't given the power to enforce security by cutting them off.
    Reply