US personnel management hack preventable, congressional probe finds

WASHINGTON - The US Office of Personnel Management (OPM) did not follow rudimentary cyber security recommendations that could have mitigated or even prevented major attacks that compromised sensitive data belonging to more than 22 million people, a congressional investigation being released on Wednesday has found. Two breaches at the federal agency detected in 2014 and 2015 were made worse by lax security culture and ineffective leadership, which failed to harness available tools that could have stopped or limited the intrusions, according to the report from the Republicans on the US House of Representatives’ Committee on Oversight and Government Reform, a copy of which was seen by Reuters. “The OPM data breach and the resulting generational national security consequences cannot happen again,” said Republican Representative Jason Chaffetz, the committee’s chairman, in the report. The investigation faulted OPM - which manages employment matters for the federal government, including background checks for most agencies - for not moving more quickly to address early signs of an attack, allowing hackers to later siphon off reams of personnel data. It also said OPM ignored repeated inspector general reports dating back to 2005 that warned of cyber security shortcomings. Representative Elijah Cummings, the top Democrat on the oversight panel, rejected the report’s findings in a memo to other Democrats. He claimed the report had factual deficiencies and did not account for mistakes made by federal contractors. US intelligence officials have linked the Chinese government to both OPM breaches, an accusation Beijing has denied. Though the Republican report credits OPM with improving its cyber security over the past year, it also includes suggestions for the federal government to address vulnerabilities. They include longer retention of qualified chief information officers, reduction of the use of social security numbers, and a "zero trust model" of information security that enforces strict controls on what data users inside a network can access. -Reuters