The biggest federal data breach affecting over 21 million Americans could have been prevented if OPM had heeded warnings and implemented basic cyber “hygiene,” according to a congressional investigation.

The Office of Personnel Management, aka the federal government’s HR office, faces new criticism following a newly-released report detailing the timeline leading up the nation’s largest data breach. Apparently, OPM had been tracking one hacker’s movements and devised a drag net called the “Big Bang” to catch the perpetrator red-handed. With all their attention focused on that hacker, another hacker gained access and slipped into their systems undetected and managed to make off with the personal data of more than 20 million people. In addition, more than  5 million fingerprints were nabbed.

The report reads like the plot of a spy movie. The first hacker was discovered back in March 2014 when a Homeland Security Department team noticed an after-hours stream of data from their system –akin to a truck pulling up to the back of a building and hauling out cabinets of documents. After tracking the hacker for a couple of months, they devised a plan to expose and kick out the perpetrator by resetting administrative accounts, building new accounts for those who had been compromised, and taking compromised systems offline.

But, as the Associated Press reports, they were totally ignorant of another hacker who managed to gain physical access to their system and was doing far more damage:

Unknown to the experts focused on expelling the hacker, a second intruder posing as an employee of a federal contractor had infiltrated the system weeks before "the Big Bang." That hacker used a contractor's credentials to log into the system, install malicious software and create a backdoor to the network, according to the report.

Over the next several months, roaming unchecked through the system, the hacker stole sensitive security clearance background investigation files, personnel files and, ultimately, fingerprint data.

That breach was not detected until April 2015, when an OPM contract employee traced the flow of stolen material back to an Internet address that had been registered to Steve Rogers, the alter ego of Captain America, indicating a spoof account. By then, sensitive information on millions of American workers had already been compromised.

Not only was the data breach damaging to 21 million current, former, and prospective federal employees, but OPM was dishonest to the American public about the scope of the breaches and that they appeared to be connected, perhaps coordinated, rather a coincidence:

The congressional report said OPM officials misled the public about the scope of the breach and also by saying the two breaches were unrelated when, instead, "they appear to be connected and possibly coordinated."

"The two attackers shared the same target, conducted their attacks in a similarly sophisticated manner, and struck with similar timing," the report said.

Trying to follow the OPM hacking developments over the past couple of years was a struggle. It was difficult to understand just how big the data breaches were, because OPM intentionally filtered information. At the time we suspected they probably didn’t know how big the breach was. Now, we can confirm that they eventually knew but wanted to keep the public in the dark.

The biggest travesty that this report reveals is that OPM created this situation for itself because of lax security procedures. They had been warned as far back as 2005 of the vulnerability of their systems. Even after the breaches occurred, OPM struggled to implement basic, required security controls and tools or cyber “hygiene.”

A new leader, investigations, reports, and tons of press later, we can only hope that OPM has done better. Not surprisingly, OPM’s response to the report is that it doesn’t reflect where the agency is today. Let’s hope that means their cyber hygiene is better than before. Unfortunately, we won’t know until the next successful cyberattack.