Knowing, as I do, the operation of IT in Federal agencies, this is 100% against the law and is a very severe risk to the information infrastructure at the Federal level.
I raised a big stink about it when it happened. No one seemed to be as upset as I, probably due to the esoteric and technical nature of this issue. I seriously wonder if this (and Hillary's unsecured server) were how foreign countries got behind the firewall to get into OPM records.
I concur. I was waving the red flag madly about telling anyone who would listen that the ACA website should not be used due to the near-certainty of being exposed to identity theft.
With regards to the OPM theft, the database was reportedly breached via a Chinese subcontractor who was granted admin access to do some technical work.