Vote 2020 graphic
Everything you need to know about and expect during
the most important election of our lifetimes

Congressional Office Stored Sexual Harassment Complaints on an Unsecured Private Server

Illustration for article titled Congressional Office Stored Sexual Harassment Complaints on an Unsecured Private Server
Photo: AP

Capitol Hill employees who confidentially made formal complaints about sexual harassment and other workplace violations were left exposed, potentially for years, by the very office charged with handling their complaints.


The Office of Compliance (OOC) improperly stored—on a third-party server that lacked basic security measures—sensitive files related to claims of sexual harassment and discrimination, according to congressional correspondence obtained by Gizmodo.

After acknowledging that the server was vulnerable in December, the OOC took no action to secure the files for more than two months.


The theft of such sensitive information would not only imperil the legislative branch employees who filed the complaints, leaving them vulnerable to retaliation and further abuse, it also poses a significant risk to national security.

“We have here a highly attractive target for any bad actor—be it politically motivated inside the United States, or indeed a foreign intelligence agency—that would allow an adversary to put politicians under pressure, privately or publicly,” said Thomas Rid, professor of strategic studies at Johns Hopkins University.

The OOC, which is charged with handling workplace-violation claims pursuant to the Congressional Accountability Act, failed to take basic steps to protect “deeply sensitive information” provided by Capitol Hill staff “who have experienced sexual harassment and other workplace abuses,” according to a February 23rd letter signed by Sen. Ron Wyden, Democrat of Oregon.


As first reported by The Washington Post, OCC disclosed the server’s issues to Wyden during a December 14th meeting, according to the letter, which was addressed to OOC chair Barbara Childs Wallace, an attorney at the Mississippi-based law firm Wise Carter Child & Caraway. During the meeting, Wyden learned that the server, operated by a third-party contractor, had never undergone a cybersecurity audit.

The OOC is currently led by Executive Director Susan Tsui Grundmann, former chair of the U.S. Merit Systems Protection Board.


“My staff also learned that the OOC has failed to take even the most basic steps to protect the deeply sensitive information entrusted to it by legislative branch employees who have experienced sexual harassment and other workplace abuses,” wrote Wyden.

“Moreover, the OOC has never hired anyone to focus on cybersecurity, nor does the OOC currently employ a full-time system administrator,” Wyden continued, adding: “OOC’s failure to take these basic steps leaves current and former congressional employees needlessly vulnerable to the possibility of having aspects of their lives exposed that they may or may not choose to disclose on their own.”


Four days after OOC received the letter, the server was taken offline. It was then moved to a secure, congressional facility and put back online March 27th, according to a second Wyden letter, sent to OOC this week. The server is no longer connected to internet, it says.

A Wyden aide told Gizmodo that following the December meeting, the Senator urged congressional leaders, including Senate Majority Leader Mitch McConnell, to pressure OOC into securing the data. But Wyden’s concerns fell on deaf ears, the aide said.


“Congressional staff already face tremendous risk in coming forward with allegations of sexual harassment and assault,” Kristin Nicholson, director of the Government Affairs Institute at Georgetown University, told Gizmodo. “It’s unconscionable that Congress would allow the deeply sensitive information these staffers have shared to be placed at risk as well.”

Nicholson, who thanked Wyden for pursuing the issue, said she hoped that OOC and other congressional offices would be more vigilant in the future.


Gizmodo contacted OOC on Friday and asked whether the victims of harassment would be notified individually about the lack of security surrounding their complaints. OOC did not respond to multiple requests for comment.

Senior Reporter, Privacy & Security

Share This Story

Get our newsletter


This dose not surprise me in the lest bit. There are many government held servers that do not adhere to basic security, part of the problem is that a lot of these place use temp agencies to fill in for their IT needs. So now you have a revolving  door of IT admins with some that know what they are doing and some who don’t. They have a hard time filling in permanent potions because they often pay significantly less then if the admin were to work in the private sector.

When I interviewed for a position at one of the government offices here in Chicago they offered me 20k less a year then what everyone else was paying for the same work.