A report from the Republican majority on the House Oversight and Government Reform Committee published today places blame for the 2014 and 2015 data breaches at the Office of Personnel Management squarely on the OPM's leadership. The report finds that the long-time network infiltration that exposed sensitive personal information on about 21.5 million individuals could have been prevented but for "the longstanding failure of OPM's leadership to implement basic cyber hygiene."

"Tools were available that could have prevented the breaches, but OPM failed to leverage those tools to mitigate the agency's extensive responsibilities," the report concluded. And the committee's majority report also asserted that former OPM Chief Information Officer Donna Seymour lied repeatedly during her testimony, misstating how the agency responded to the breach and misleading Congress and the public about the damage done by the attack. Ars extensively covered the shortfalls in OPM's security last year.

The House Oversight report reveals that there were two separate extensive breaches—one beginning as early as November of 2013, which went undiscovered until March 2014 and was finally shut down completely two months later, allowed attackers to obtain manuals and technical information about the types of data stored in OPM systems. A second attack began shortly afterward, targeting background investigation data, personnel records, and fingerprint data. These breaches were determined to be likely conducted by the "Axiom Group" and "Deep Panda," respectively, two China-based hacking groups alleged to have ties to the Chinese government. The attacks used a series of domains—some with OPM-related names (opmsecurity.org and opmlearning.org) and registered under the names of Marvel superheroes Tony Stark (Iron Man) and Steve Rogers (Captain America)—to control malware and exfiltrate stolen data.

Ironically, one of the tools used in investigating the ongoing breach, CyFIR from CyTech Services, was never actually purchased by OPM. (Another tool provider, Cylance, initially detected the malware associated with the second breach, according to the Congressional report, though CyFIR was used a few weeks later to survey the breach; Cylance has been using the Congressional report to tout its key role in the initial discovery of the intrusion.) Though Seymour told Congress OPM had purchased licenses after a trial in a segregated test network, the tool was actually demonstrated on OPM's live network, and no licenses were ever purchased. OPM officials returned the trial software after deleting images from OPM's own incident response—images that included "more than 11,000 files and directories" of forensic data, the report noted.

"Documents and testimony show CyTech provided a service to OPM and OPM did not pay," the report found, noting that this violated federal law against accepting voluntary services.

[Update, 3:00 PM ET] Ars received the following statement from Samuel Schumach, Press Secretary for OPM, regarding CyTech's services:

OPM has never received a request for payment from CyTech for services rendered or licenses provided during the product demonstration they conducted during the 2015 breach response. If and when OPM receives any such request, OPM will pay any appropriate amounts owed and required by law. As part of CyTech’s product demonstration, which took place over approximately a two-week period, its CyFIR tool was deployed to a limited number of machines utilizing licenses provided by CyTech. The tool was removed from our networks, and CyTech’s equipment was returned to the company at their request. OPM did receive a request from CyTech in connection with an alleged verbal contract for their product. However, OPM never heard back from CyTech after we asked for more information.

The report recommended that federal agencies "must ensure agency CIOs are empowered, accountable, competent, and retained for more than the current average of two years," and that agencies promptly provide justification to Congress for continuing to use systems when their "authority to operate" (ATO)—the certification that they are operating in compliance with federal information security regulations—lapses. Eleven of OPM's systems had been operating without an ATO at the time of the breach, in some cases for over a year or more.

The report also recommended that OMB and other federal agencies move toward a "zero trust IT security model" where users on the network are treated with the same level of security as users outside the network and that agencies reduce the use of Social Security numbers in identifying employees to reduce the risk of exposure of personal identifying information.

Reuters reports that Rep. Elijah Cummings (D-Md.), the ranking minority member of the House Oversight Committee, rejected the Republicans' report, claiming factual deficiencies. Rep. Cummings also said that the errors made by OPM's contractors were not sufficiently taken into account in the assessment. Two OPM contractors were involved in breaches of background investigation data.

In an OPM blog post in response to the report, OPM Director Beth Colbert wrote, "While we disagree with many aspects of the report, we welcome the committee’s recognition of OPM’s swift response to the cybersecurity intrusions and its acknowledgement of our progress in strengthening our cybersecurity policies, and processes. We also appreciate the panel’s willingness to work with us on these important issues and find many of the final recommendations to be useful for OPM and the Federal Government at-large."