The largest union of federal employees says neither the Office of Personnel Management nor its recent government contractors were able to maintain adequate security for personal data developed as background checks were run on potential employees, and said these failures are a big reason why thieves were able to hack into OPM's system and steal information on millions of current and former workers.
The American Federation of Government Employees filed a class-action lawsuit against OPM on Monday that said OPM's historical failure to shore up its cybersecurity systems was a major problem. But it also said KeyPoint Government Solutions also needs to bear much of the blame, as this company had its own "cybersecurity weaknesses."
OPM Director Katherine Archuleta, who is also named as a defendant in the suit, testified before Congress recently that hackers accessed OPM's systems using a KeyPoint employee's credentials. KeyPoint doesn't dispute that narrative but maintains it is not responsible for attacks.
But AFGE's lawsuit says KeyPoint was a very weak link in the chain. The suit says that according to an unnamed forensic expert, KeyPoint "never set up logs," which means the company itself can't say how it was compromised.