A report from the Republican majority on the House Oversight and Government Reform Committee published today places blame for the 2014 and 2015 data breaches at the Office of Personnel Management squarely on the OPM's leadership. The report finds that the long-time network infiltration that exposed sensitive personal information on about 21.5 million individuals could have been prevented but for "the longstanding failure of OPM's leadership to implement basic cyber hygiene."
"Tools were available that could have prevented the breaches, but OPM failed to leverage those tools to mitigate the agency's extensive responsibilities," the report concluded. And the committee's majority report also asserted that former OPM Chief Information Officer Donna Seymour lied repeatedly during her testimony, misstating how the agency responded to the breach and misleading Congress and the public about the damage done by the attack. Ars extensively covered the shortfalls in OPM's security last year.
The House Oversight report reveals that there were two separate extensive breaches—one beginning as early as November of 2013, which went undiscovered until March 2014 and was finally shut down completely two months later, allowed attackers to obtain manuals and technical information about the types of data stored in OPM systems. A second attack began shortly afterward, targeting background investigation data, personnel records, and fingerprint data. These breaches were determined to be likely conducted by the "Axiom Group" and "Deep Panda," respectively, two China-based hacking groups alleged to have ties to the Chinese government. The attacks used a series of domains—some with OPM-related names (opmsecurity.org and opmlearning.org) and registered under the names of Marvel superheroes Tony Stark (Iron Man) and Steve Rogers (Captain America)—to control malware and exfiltrate stolen data.