• Report Blame: A Republican majority report on House Oversight and Government Reform Committee blames 2014 and 2015 OPM data breaches on OPM's leadership, saying basic cyber hygiene was long neglected and available tools were not used. Former OPM CIO Donna Seymour lied during testimony.
• Breach Details: There were two separate extensive breaches. One started in 2013 and was discovered in 2014, exposing manuals and technical info. A second attack targeted background investigation, personnel, and fingerprint data, likely by "Axiom Group" and "Deep Panda". Attacks used domains like opmsecurity.org and opmlearning.org.
• Investigation Tool: CyFIR from CyTech Services was used in investigating the breach but not actually purchased by OPM. Seymour said OPM bought licenses in a segregated test network but it was demonstrated on the live network and no licenses were bought. OPM returned trial software.
• Report Recommendations: Federal agencies should ensure CIOs are empowered and accountable, provide justification for using systems without ATO, and move to a "zero trust IT security model" and reduce using Social Security numbers for employee identification.
• Reaction and Response: Rep. Elijah Cummings rejected the report, claiming factual deficiencies and that OPM contractors' errors were not considered. OPM Director Beth Colbert said while disagreeing with some aspects, they welcome recognition of response and progress. OPM also provided a statement regarding CyTech's services.