A House Oversight and Government Reform committee report said a "failure of culture and leadership" led to the massive data breach at the Office of Personnel Management (OPM) between 2014 and 2015.
The report, prepared by the committee's Republican majority and released Wednesday, said the breach was so severe it may have compromised national security “for more than a generation.”
Between July 2014, and May 2015, hackers were able to break into the OPM’s data systems, where they gained access to information on more than 4.2 million current and former government employees, in addition to security clearance background information on 21.5 million individuals.
Included in the stolen security clearance information was fingerprint data for 5.6 million people.
The report said the theft of this information was particularly harmful because people who apply for security clearances hold “some of the most sensitive positions in our government.”
“Background investigations conducted on these individuals are designed to identify the types of information that could be used to coerce an individual to betray their country,” the report said.
Security clearance applicants are required to provide “extensive financial information,” employment histories, places of residence, and the names and addresses of any relatives.
Applicants are also asked about health problems, including whether they have sough mental health treatments. Gambling, drug and alcohol abuse issues are also asked of all applicants.
The report said that OPM leadership had been warned repeatedly since “at least 2005,” that its employee data files were “vulnerable to hackers."
“The [Office of Personnel Management’s] senior leadership failed to fully comprehend the extent of the compromise,” the report said, "allowing the hackers to remove manuals and other sensitive materials that essentially provided a roadmap to the OPM IT environment and key users for potential compromise.”
The committee’s report said the Office of Personnel Management “misled Congress and the public to diminish the damage” hackers caused, and that the agency’s failure to “implement basic cyber hygiene” on its computer systems “represents a failure of culture and leadership, not technology.”
The agency’s director, Katherine Archuleta, resigned in June 2015.
Before becoming head of the federal government’s personnel agency, Archuleta served as the political director for Obama for America, which oversaw the President’s 2012 re-election campaign, and before that as chief of staff to former Labor Secretary Hilda Solis.
In a blog post published on Wednesday, OPM Acting Director Beth Cobert said the committee's report "does not fully reflect where this agency stands today."
"While we disagree with many aspects of the report," Cobert said, "we welcome the committee’s recognition of OPM’s swift response to the cybersecurity intrusions and its acknowledgement of our progress in strengthening our cybersecurity policies and processes."
Cobert said the agency has "made significant progress to strengthen our cybersecurity posture, and re-establish confidence in this agency’s ability to protect data while delivering on our core missions."
Among the steps the agency has taken, Cobert said, is working with the Department of Defense, which is "designing, building, and will operate the IT infrastructure for the new National Background Investigations Bureau, the OPM-based entity that will conduct background investigations for the federal government in the future."
Cobert said the data breaches were "a catalyst for accelerated change within our organization," which includes a "strong working relationship" with its inspector general.
"We are committed, we are dedicated, and most importantly, we are working tirelessly to continuously enhance the security of our data and fulfill our important mission for the American people," Cobert said.