There have been a large number of news reports in the last year dealing with cyber-hacking, but one recent case is not garnering as much attention as it probably should. U.S. Investigations Services (USIS), the government’s leading security clearance contractor, had its networks penetrated for months before the company noticed. For many people, the impact of the USIS break-in is dwarfed by recent intrusions that exposed credit and private records of millions of customers at JPMorgan Chase & Co., Target Corp. and Home Depot Inc. Despite the lack of direct effect on consumers, it is significant because the government relies heavily on contractors to perform background checks on U.S. workers in sensitive jobs.
The possibility that national security background investigations are vulnerable to cyber-espionage could undermine the integrity of the verification system used to review more than 5 million government workers and contract employees. “The information gathered in the security clearance process is a treasure chest for cyber hackers. If the contractors and the agencies that hire them can’t safeguard their material, the whole system becomes unreliable,” said Alan Paller, head of SANS, a cybersecurity training school, and former co-chair of the Department of Homeland Security (DHS) task force on cyber skills. In particular, this breach compromised the private records of at least 25,000 employees at the Homeland Security Department and cost the company hundreds of millions of dollars in lost government contracts.
Speaking on condition of anonymity, officials and others familiar with an FBI investigation and related official inquiries spoke with the Associated Press. According to them, the investigation is not only trying to identify the perpetrators and scope of the stolen material, but has prompted concerns about why the internal detection alarms failed to notice the hackers for so long and whether the government agencies that hired USIS should have monitored the company’s practices more closely. In particular, former USIS employees have raised questions about why the company and the government failed to ensure that outdated background reports containing personal data were not regularly purged from the company’s computers, leaving the information vulnerable when it otherwise should have been deleted.
The workers told the Associated Press that company investigators sometimes stored old or duplicate background reports that should have been purged from their laptops. The reports contained sensitive financial and personal data that could be used for blackmail or to harm government workers’ credit ratings, the former workers said. Former USIS employees who worked with the federal personnel office said the system they used directed users to purge old reports. But the workers said USIS and Office of Personnel Management (OPM) rarely followed up with spot checks. Employees who worked on systems with the Homeland Security Department said these had no similar automatic warning function and spot checks were rare. The company insisted spot checks were regularly performed.
Recently, the leaders of the Senate Homeland Security and Governmental Affairs Committee, Tom Carper, D-Del., and Tom Coburn, R-Okla., pressed OPM and the Department of Homeland Security about their oversight of contractors and USIS’ performance before and during the cyberattack. Another committee member, Sen. Jon Tester, D-Mont., said he worried about the security of background check data, stating that contractors and federal agencies need to “maintain a modern, adaptable and secure IT infrastructure system that stays ahead of those who would attack our national interests.” Having seemingly lost faith in USIS, the Office of Personnel Management and the Homeland Security Department indefinitely halted all USIS work on background investigations in August.
The Office of Personnel Management, which paid the company $320 million for investigative and support services in 2013, later decided not to renew its background check contracts with the firm. The move prompted USIS to lay off its entire force of 2,500 investigators. Additionally, the federal Government Accounting Office (GAO) ruled that Homeland Security should re-evaluate a $200 million support contract award to USIS. The GAO advised the department to consider shifting the contract to FCi Federal, a rival firm, prompting protests from USIS. If you need more information, contact Rebecca Gilliland, a lawyer in our Consumer Fraud Section, at 800-898-2034 or by email at Rebecca.Gilliland@beasleyallen.com.
Contact us today for a free legal consultation with an experienced attorney.
Fields marked *may be required for submission.
If you would like to subscribe to the Jere Beasley Report digital edition, simply visit our Subscriptions page and provide the necessary information or call us at 800-898-2034.
Attorney Advertising - Prior results do not guarantee a similar outcome.