Committee Releases Year-Long Investigative Report into OPM Data Breaches

Published: Sep 7, 2016

Requests opinion from GAO on Anti-Deficiency Act violation by OPM

WASHINGTON, D.C. – Today, House Oversight and Government Reform Chairman Jason Chaffetz (R-UT) released a staff report titled, The OPM Data Breach: How the Government Jeopardized Our National Security for More than a Generation, chronicling the Committee’s year-long investigation into how highly personal, highly sensitive data of millions of Americans was compromised by a foreign adversary in 2015. The report outlines findings and recommendations to help the federal government better acquire, deploy, maintain, and monitor its information technology.

As a result of one the Committee’s findings, Chairman Chaffetz sent a letter to the Government Accountability Office (GAO) requesting an opinion on whether the Office of Personnel Management (OPM) violated the Anti-Deficiency Act (ADA) when it accepted services from a company without payment.

Key findings, recommendations and an excerpt from the letter are below:

Key Findings:

  • The OPM data breach was preventable.
  • OPM leadership failed to heed repeated recommendations from its Inspector General, failed to sufficiently respond to growing threats of sophisticated cyber attacks, and failed to prioritize resources for cybersecurity.
  • Data breaches in 2014 were likely connected and possibly coordinated to the 2015 data breach.
  • OPM misled the public on the extent of the damage of the breach and made false statements to Congress

Key Recommendations:

  • Reprioritize federal information security efforts toward zero trust.
  • Ensure agency CIOs are empowered, accountable, and competent.
  • Reduce use of social security numbers by federal agencies.
  • Modernize existing legacy federal information technology assets.
  • Improve federal recruitment, training, and retention of federal cybersecurity specialists

 Letter to GAO:

“In brief, we believe OPM violated the ADA when the agency retained and deployed CyTech’s software following a product demonstration, and never paid.”

A timeline of the breaches can be found here.

###