OPM is Still Far Behind on Data Protection Three Years After Devastating Breach

More than three years after suffering the most devastating cyber breach to date against civilian government networks, the Office of Personnel Management still hasn’t implemented about one-third of the recommendations from the government’s in-house auditor, a Tuesday report found.

Un-implemented recommendations include regularly updating software to the latest version, encrypting passwords and ensuring administrators aren’t sharing account logins, according to the Government Accountability Office report.

In some cases, OPM still hasn’t reset passwords that were used before the breach, the report found.

The OPM breach compromised sensitive security clearance information about more than 20 million current and former federal employees and their families plus a smaller amount of fingerprint data.

Overall, OPM has implemented 51 of the Accountability Office’s 80 recommendations, or about 64 percent. Some of those implemented recommendations include strengthening firewalls, enforcing password policies and updating contingency plans for the especially vital system, the report states.

Of the 29 remaining recommendations, OPM plans to implement 25 before the end of 2018 plus three more before October 2019, the agency’s chief information officer told the Accountability Office.

OPM does not plan to implement a final recommendation focused on putting security controls on contractors’ workstations, the report states. The office believes it has other security controls that compensate for that one, GAO said.   

The GAO report comes just days after OPM’s own inspector general found “material weakness” in the agency’s information security program, citing a lack of information technology resources and “the agency’s culture of minimizing the role of the chief information officer.”

The inspector general also noted a “significant deficiency” in OPM’s IT security controls, noting that all the agency’s IT systems had valid security assessments and authorizations but some of those assessments and authorizations included low-quality work and questionable supporting documentation.

A federal appeals court is currently considering whether to reinstate a lawsuit brought by two federal employee unions over OPM’s data breach. That suit was scrapped at the federal district court level when a judge ruled the plaintiffs didn’t have standing to sue because they hadn’t suffered any clear harm.

Chinese government-linked hackers are widely believed responsible for the 2015 OPM breach but U.S. officials have never formally accused the Chinese government of being responsible for the breach. There’s no clear evidence that data stolen in the breach has ever been released on the dark web or used to conduct identity theft.