More than three years after suffering one of the largest cyber-attacks in US government history, the Office of Personnel Management has yet to adopt dozens of the security measures investigators ordered including basic stuff like changing passwords.
A report issued this week by Government Accountability Office (GAO) disclosed that the OPM has failed to comply with more than a third of recommendations its investigators made for improving the office's network security and data protection.
The GAO audit (PDF) looked over a series of four reports its investigators issued between 2015 and 2017 concerning the massive theft of sensitive records onaround 21.5 million current, former, and prospective government workers from Uncle Sam's computer systems.
Since the last report was written in August of 2017, GAO says that OPM has only complied with 51 of those 80 items. Far from being abstract, bureaucratic measures, the lapses noted by the audit include some very basic security practices.
Among the recommendations that have not been implemented was the call for OPM to reset its passwords after the network was ransacked, as well as the failure to "install critical patches in a timely manner, periodically evaluate accounts to ensure privileged access is warranted, and assess controls on selected systems as defined in its continuous monitoring plan."
Slain: Unions' US OPM mega-hack lawsuit against Uncle Sam READ MORE
In other words, more than three years after it was hacked, apparently by the Chinese , and relieved of the sensitive personal details of more than 20 million Americans, including their intelligence clearance paperwork, the OPM still can't be bothered to change passwords or install windows updates.
The GAO audit goes on to note other poor security practices, including shared admin accounts shared by multiple staffers, encrypting passwords (both stored and in-transit), and installing the latest patches for network devices that connect to "high impact" machines with sensitive data.
"Implementing all of the remaining open recommendations expeditiously is essential to OPM ensuring that appropriate security controls are in place and operating as intended," the GAO report concludes.
"Until OPM implements these recommendations, its systems and information will be at increased risk of unauthorized access, use, disclosure, modification, or disruption."
The OPM, for its part, is working to get caught up on the recommendations. The GAO says the agency plans to address 25 of the 29 outstanding items by the end of the year and address another three in 2019.
Sponsored: Following Bottomline’s journey to the Hybrid Cloud