After Huge Hack, OPM Still Hasn't Learned Its Lesson

Mark Van Scyoc/

The Government Accountability Office found OPM is taking greater risks with its systems and data than it should.

The government’s personnel office still isn’t adequately protecting its computer networks two years after a massive data breach that compromised highly sensitive security clearance information of over 20 million current and former federal employees and their families, a congressional watchdog reported Thursday.

The Office of Personnel Management failed to encrypt data stored in one of its high-value systems that would be most attractive to hackers, for example, and failed to encrypt data as it transited in and out of another high-value system, according to the Government Accountability Office report.

Encryption essentially scrambles information so that if hackers get hold of the information but don’t have the encryption key, they won’t be able to make any sense of it.  

» Get the best federal technology news and ideas delivered right to your inbox. Sign up here.

OPM is also lagging on numerous other security requirements, such as restricting access to computer systems to only the employees that need to access them and requiring two identifying factors—such as a password and a digital identity card—to log into systems, GAO said.

The agency also failed to ensure that its contractors are using adequate security controls, according to the report.

“Until OPM completes implementation of government-wide requirements, its systems are at greater risk than they need be,” the auditor said.

Overall, OPM completed 11 recommendations the government’s cyber emergency response unit made in the wake of the 2015 breach of security clearance files but is lagging on eight others, GAO said.

The recommendations generally involve security controls such as requiring strong passwords, quickly patching vulnerable systems and monitoring networks for unusual behavior, GAO said. The auditor didn’t list specific recommendations from U.S. CERT, the Homeland Security Department’s Computer Emergency Readiness Team, out of concern they could be exploited by U.S. adversaries.

The office has only fully implemented policies and procedures for two out of eight governmentwide security goals that GAO reviewed. Those goals cover categories such as installing anti-phishing tools and scanning for cyber threat indicators supplied by DHS.

A July report from OPM’s inspector general found the agency was not effectively vetting its computer systems before reauthorizing them.

Former President Barack Obama ordered the government to stand up a new National Background Investigation Bureau for security clearance reviews in the wake of the OPM breach. The NBIB is managed within OPM but secured by the Defense Department.

OPM’s legacy security clearance systems are still being maintained, however, until the NBIB is fully operational and all active cases in the system are completed, a process that is expected to take at least three years, GAO said.

Chinese government hackers are widely believed to be responsible for the 2015 OPM breach, but the government never officially attributed the hack to Beijing. The hackers were likely after information they could use to bribe or blackmail top government officials into giving up secrets.

President Donald Trump’s nominee to run OPM, George Nesterczuk, withdrew from consideration earlier this week amid criticism from federal employee unions.