Information about sexual harassment and other workplace misconduct on Capitol Hill was at risk of being hacked until the office that handles these cases implemented new cybersecurity controls earlier this year, according to Sen. Ron Wyden (D-Ore.).
The Office of Compliance stored data about staff complaints and lawmaker settlements on an insecure server operated by a third-party contractor until late February, Wyden stated in a letter to the OOC sent Feb. 23 in which he demanded that the office improve its cybersecurity. In a follow-up letter on Thursday, he noted that the system was updated last month, is housed in a secure congressional facility and is no longer connected to the Internet.
“This configuration is decidedly more secure than before, and will help the OOC protect the identities and information of victims,” Wyden wrote to Barbara Childs Wallace, head of the OOC’s Board of Directors.
Hacked details about sexual-harassment cases would be explosive on Capitol Hill, where the #MeToo movement has ended the careers of several lawmakers accused of misconduct by staff or others. Tasked with adjudicating employment cases in the legislative branch, the OOC releases almost no data to the public about its work, which includes facilitating taxpayer-funded settlements between lawmakers and accusers.
[How Congress plays by different rules on sexual harassment and misconduct]
Though the office has been under scrutiny since last fall, its approach to cybersecurity was not previously known. OOC Deputy Executive Director Paula Sumberg declined to comment via email.
A wave of news coverage since last fall has shed some light on the OOC’s operations. Still, the identities of most lawmakers involved in workplace settlements have not been revealed publicly.
Members of Congress have spent $17.2 million in public funds to settle employment complaints in the past 20 years.
Wyden pointedly criticized the OOC’s system in his Feb. 23 letter, accusing the office of concealing its use of an insecure server and failing to implement even “rudimentary defensive network-security best practices” to protect its data.
“The OOC’s astonishingly lax security measures provide the means for hostile actors to access, modify, delete, or disseminate embarrassing and compromising information about legislative branch staff who have reported incidents of sexual harassment,” he wrote.
It is “inconceivable,” he added, that the OOC would “watch as other federal government institutions were systematically targeted by foreign intelligence agencies and decide that it did not need to take even the most rudimentary steps to protect itself and the sensitive data which has been entrusted to it.”
It was not clear whether the OOC was under pressure from other senators to improve its cybersecurity practices. The Library of Congress is technically responsible for the office’s technology, Wyden wrote; a spokeswoman for the Library, Gayle Osterberg, said that role had not included cybersecurity.
Wyden, the ranking Democrat on the Senate Finance Committee, wrote that the Library of Congress’s chief information security officer did not know about the OOC’s server issue until the office briefed his staff in mid-December. His staff told congressional leaders about the situation after the briefing, he wrote.
This story has been updated.
