OPM ignored warnings last year its computers were insecure

Please consider donating to Behind the Black, by giving either a one-time contribution or a regular subscription, as outlined in the tip jar to the right. Your support will allow me to continue covering science and culture as I have for the past twenty years, independent and free from any outside influence.

An inspector general report last year had advised OPM to shut down many of its computer systems because they were running without sufficient security. The agency ignored that recommendation.

In the audit report published November 12, 2014, OIG found that 11 out of 47 computer systems operated by OPM did not have current security authorizations. Furthermore, the affected systems were “amongst the most critical and sensitive applications owned by the agency.” Two of the unauthorized systems are described in the report as “general support systems” which contained over 65 percent of all OPM computer applications. Two other unauthorized systems were owned by Federal Investigative Services, the organization which handles background investigations in connection with government security clearances. OIG warned bluntly, “any weaknesses in the information systems supporting this program office could potentially have national security implications.”

Because of the volume and sensitivity of the information involved, OIG recommended OPM “consider shutting down systems that do not have a current and valid Authorization.” But OPM declined, saying, “We agree that it is important to maintain up-to-date and valid ATOs for all systems but do not believe that this condition rises to the level of a Material Weakness.”

The head of OPM also claimed in House hearings yesterday that their failure to close these systems down was justified since the hackers were already in the system when the recommendation was made.

In other words, we didn’t do anything to make the system secure, and when hackers broke in it was further justification for not doing anything.

Yeah, let’s put our healthcare under their control also!


  • schwit


    Some of the contractors that have helped OPM with managing internal data have had security issues of their own—including potentially giving foreign governments direct access to data long before the recent reported breaches. A consultant who did some work with a company contracted by OPM to manage personnel records for a number of agencies told Ars that he found the Unix systems administrator for the project “was in Argentina and his co-worker was physically located in the [People’s Republic of China]. Both had direct access to every row of data in every database: they were root. Another team that worked with these databases had at its head two team members with PRC passports. I know that because I challenged them personally and revoked their privileges. From my perspective, OPM compromised this information more than three years ago and my take on the current breach is ‘so what’s new?'”

  • Brian H

    Oh this was left un-secured for a reason… so that data could be taken…

  • pzatchok

    Just remember.

    The vast majority of government workers are people who could not get jobs in the private sector.
    They are mindless drones interested in only putting in their 8 hours and getting home as fast as possible.
    They have little to no security on their own personal computers and blame other people when their crap goes tits up.
    Do you really think they are going to care more for the computers or systems they have at work?
    Hell no.
    They think computer security is turning off the monitor at night and locking the doors. Sorry, locking the doors is the custodial staffs business, not theirs.

    The weakest link to any security system is the human element. And in a computer environment the first, fastest, and best security for a office network is the IT guy. Next time you go into any office look at the IT guy, does he really look like he is up to a top security task? Or does he look like some young collage geek who it doing the IT work just for a little cash until classes start again? Does he really look like he belongs on a serious security team? Mine has trouble installing a printer the right way. If windows doesn’t do it automatically it can not be done.

  • Edward

    Also from the Congressional hearing:
    https://www.youtube.com/watch?v=A9Y6IefNq2Q (4 minutes)
    “I wish that you were as strenuous and hard working at keeping information out of the hands of hackers as you are at keeping information out of the hands of Congress.”

    Who was it that said the government wasn’t the solution but was the problem? That’s right: Ronald Reagan. Still right, after all these years.

Leave a Reply

Your email address will not be published. Required fields are marked *