A class-action lawsuit filed by a government employees’ union against the Office of Personnel Management as a result of the massive data breach at OPM that affects more than 18 million people alleges that not only did the agency know about vulnerabilities in its network long before the attack, but that the agency’s director and CIO both broke federal laws by ignoring directives to fix the weaknesses.
The suit, filed Monday in U.S. District Court in Washington by the American Federation of Government Employees, alleges that OPM staff ignored repeated warnings about severe vulnerabilities in the agency’s network and that OPM Director Katherine Archuleta and CIO Donna Seymour ran afoul of the law when they didn’t implement fixes prescribed by the Office of the Inspector General after security audits. The AFGE is the largest union of federal government employees, representing 650,000 people.
In the wake of the OPM breach, members of Congress grilled Archuleta and Seymour in a hearing on the conditions that led to the breach, saying that the agency had completely failed to protect the data of millions of government employees by not implementing database encryption, two-factor authentication, and other basic defenses. The lawmakers grew frustrated with Archuleta and Seymour not answering their questions directly.
“This is one of those hearings where I think that I will know less coming out of the hearing than I did when I walked in,” said Rep. Stephen Lynch (D-Mass.). “You’re doing a great job stonewalling us, but hackers, not so much.”
An audit of the OPM’s systems from November 2014 fund systemic weaknesses in the agency’s security infrastructure, including a lot of unauthorized systems running on the network, and no comprehensive vulnerability scanning program.
“The drastic increase in the number of systems operating without a valid Authorization is alarming, and represents a systemic issue of inadequate planning by OPM program offices to authorize the information systems the own,” the OIG report says.
In the lawsuit, the AFGE alleges that OPM leaders and top technical staff knew about the weaknesses and just didn’t fix them.
“Since at least 2007, the OPM has been on notice of significant deficiencies in its cyber security protocol. Despite the fact that the OPM handles massive amounts of federal applicants’ private, sensitive, and confidential information, the OPM failed to take steps to remedy those deficiencies. The OPM’s Office of Inspector General (‘OIG’) was required under federal law to, and did, conduct annual audits of the OPM’s cyber security program and practices, identifying ‘material weakness[es]’ as far back as 2007. The OPM not only failed to cure the weaknesses, but the OIG found that in many areas the OPM’s performance actually got worse. According to a 2014 OIG report, the ‘drastic increase in the number of [software] systems operating without valid authorization is alarming and represents a systemic issue of inadequate planning by the OPM offices to authorize the [software] systems they own’,” the lawsuit says.
The suit by AFGE seeks unspecified damages.