The Office of Personnel Management (OPM) had personally identifiable information of about 22M federal employees stolen in 2015.  The 2015 breach exposed data elements of government employees, contractors, and in some cases family members or friends which included names, DOB, SSNs, birth dates.  As a result, both the National Treasury Employees Union (NTA) and American Federation of Government Employees (AFGE) employee unions each filed negligence lawsuits. 

The Government Accountability Office (GAO) produced a report https://www.gao.gov/assets/700/695368.pdf to Congress in December 2018 indicating that as of the September 26 briefing for Staff of the Senate and House Appropriations Subcommittees on Financial Services and General Government, only 51 of 80 prescribed remediation have been conducted based on OPM providing insufficient evidence to the contrary.   

An assortment of the recommendations which were implemented by OPM include strengthening firewall controls, enforcing password policies, restricting access to a key server, logging security related activities, and updating the contingency plan for a high-impact system.

Some of the recommendations lacking sufficient evidence as of September included avoiding use of same admin accounts by multiple people, implementing procedures to govern use of special privileges on key computer, encrypting stored/in-transit passwords on the network, and installing the latest OS versions on high-impact system’s network devices.