A year-long investigation into a stunning breach of millions of personnel records and related fingerprint data from the federal Office of Personnel Management (OPM) in 2014 and 2015 concludes the hack could have been prevented or at least mitigated if proper protections had been in place.
“Had OPM implemented basic, required security protocols and more expeditiously deployed cutting edge security tools when they first learned hackers were targeting such sensitive data, they could have significantly delayed, potentially prevented, or significantly mitigated the theft,” says the report by the Republican Staff of the House Oversight and Government Reform Committee.
The report, The OPM Data Breach: How the Government Jeopardized Our National Security for More than a Generation, says that had OPM not lagged in implementing two-factor authentication for network access as had been required, the hackers wouldn’t have gained access to the network.
“Importantly, the damage also could have been mitigated if the security of the sensitive data in OPM’s critical IT systems had been prioritized and secured,” the Sept. 7 report says.
The report recommends that agency chief information officers are empowered, accountable and competent, that legacy federal IT systems be modernized, that the federal government improve its hiring, training and retaining of cyber security professionals, and that federal information security efforts be reprioritized toward zero trust.