The federal agency that stored, and lost, millions of current and former government employees’ sensitive files, fingerprints, and security clearances spent only a small fraction of what other federal agencies allocated for cybersecurity, according to a new report published by the House Oversight and Government Reform Committee on Wednesday.

The Office of Personnel Management breach, announced last June, involved the personal data of over 20 million individuals and was described by a former NSA senior official as “crown-jewels material.” The report was the conclusion of a year-long investigation following the breach.

The personnel agency spent just $2 million in 2015 to prevent malicious cyber activity, while the Department of Agriculture doled out $39 million. The departments of Commerce, Education, and Labor also spent more in this area. Among the categories of cybersecurity spending delineated by the committee — preventing malicious cyber activity, detecting, analyzing, and mitigating intrusions, and shaping the cybersecurity environment — only the Small Business Administration spent as little as OPM (although Small Business Administration spent more overall on cybersecurity).

OPM responded by saying the report does not actively reflect the progress the agency has made since the hack, and Rep. Elijah Cummings, D-Md., the ranking Democrat on the House Oversight Committee, insisted the report was flawed, in part because it failed to place blame on or otherwise account for the contractors involved in the agency’s cybersecurity. Additionally, an entirely new agency, the National Background Investigations Bureau, will now be in charge of the security clearance process.

More money doesn’t necessarily mean better security, however. According to analysis from the Mercatus Center at George Mason University published in January 2015, the government invested more money in cybersecurity, but failed to stem the increasing flow of cyber breaches.

Yet for an agency tasked with protecting sensitive personnel data, it didn’t appear to invest much in making sure adversaries couldn’t access its databases. The breach, according to many national security officials, will take years to recover from.

“Despite this high value information maintained by OPM, the agency failed to prioritize cybersecurity,” wrote the authors of the report, including Committee Chairman Rep. Jason Chaffetz, R-Utah, Rep. Mark Meadows, R-N.C., and Rep. Will Hurd, R-Texas.

See the chart depicting how much agencies spent on cyber in 2015 below:


The OPM Data Breach: How the Government Jeopardized Our National Security for More than a Generation, and FY2015 Office of Management and Budget Annual Report to Congress: Federal Information Security Management Act