Capitol Hill employees who confidentially made formal complaints about sexual harassment and other workplace violations were left exposed, potentially for years, by the very office charged with handling their complaints.
The Office of Compliance (OOC) improperly stored - on a third-party server that lacked basic security measures - sensitive files related to claims of sexual harassment and discrimination, according to congressional correspondence obtained by Gizmodo.
After acknowledging that the server was vulnerable in December, the OOC took no action to secure the files for more than two months.
The theft of such sensitive information would not only imperil the legislative branch employees who filed the complaints, leaving them vulnerable to retaliation and further abuse, it also poses a significant risk to national security.
"We have here a highly attractive target for any bad actor — be it politically motivated inside the United States, or indeed a foreign intelligence agency - that would allow an adversary to put politicians under pressure, privately or publicly," said Thomas Rid, professor of strategic studies at Johns Hopkins University.
The OOC, which is charged with handling workplace-violation claims pursuant to the Congressional Accountability Act, failed to take basic steps to protect "deeply sensitive information" provided by Capitol Hill staff "who have experienced sexual harassment and other workplace abuses," according to a February 23rd letter signed by Sen. Ron Wyden, Democrat of Oregon.
As first reported by The Washington Post, OCC disclosed the server's issues to Wyden during a December 14th meeting, according to the letter, which was addressed to OOC chair Barbara Childs Wallace, an attorney at the Mississippi-based law firm Wise Carter Child & Caraway. During the meeting, Wyden learned that the server, operated by a third-party contractor, had never undergone a cybersecurity audit.
The OOC is currently led by Executive Director Susan Tsui Grundmann, former chair of the U.S. Merit Systems Protection Board.
"My staff also learned that the OOC has failed to take even the most basic steps to protect the deeply sensitive information entrusted to it by legislative branch employees who have experienced sexual harassment and other workplace abuses," wrote Wyden.
"Moreover, the OOC has never hired anyone to focus on cybersecurity, nor does the OOC currently employ a full-time system administrator," Wyden continued, adding: "OOC's failure to take these basic steps leaves current and former congressional employees needlessly vulnerable to the possibility of having aspects of their lives exposed that they may or may not choose to disclose on their own."
Four days after OOC received the letter, the server was taken offline. It was then moved to a secure, congressional facility and put back online March 27th, according to a second Wyden letter, sent to OOC this week. The server is no longer connected to internet, it says.
A Wyden aide told Gizmodo that following the December meeting, the Senator urged congressional leaders, including Senate Majority Leader Mitch McConnell, to pressure OOC into securing the data. But Wyden's concerns fell on deaf ears, the aide said.
"Congressional staff already face tremendous risk in coming forward with allegations of sexual harassment and assault," Kristin Nicholson, director of the Government Affairs Institute at Georgetown University, told Gizmodo. "It's unconscionable that Congress would allow the deeply sensitive information these staffers have shared to be placed at risk as well."
Nicholson, who thanked Wyden for pursuing the issue, said she hoped that OOC and other congressional offices would be more vigilant in the future.
Gizmodo contacted OOC on Friday and asked whether the victims of harassment would be notified individually about the lack of security surrounding their complaints. OOC did not respond to multiple requests for comment.