When the federal government announced earlier this month that Chinese hackers had stolen sensitive personnel records of 4.2 million current and former government employees, the biggest surprise was that it had taken so long for this kind of breach to occur. Many of the security vulnerabilities that likely contributed to the data breach had already been uncovered by government auditors. The most frustrating part of this whole affair is that it might have been prevented if the target of the breach, the Office of Personnel Management (OPM), had followed the federal rules for information security. Federal agencies are routinely targets for cyberattacks, so ignoring these vulnerabilities comes at great risk. The long-term solution to this problem is to build a culture in federal agencies that does not tolerate such poor performance.