A cyberattack on federal security clearance contractor USIS, was unnoticed for months before it was revealed by the company and government agencies earlier this year.
Officials and others familiar with an FBI investigation and related official inquiries told that the breach, similar to previous hacker intrusions from China, compromised the private records of at least 25,000 employees at the Homeland Security Department and cost the company hundreds of millions of dollars in lost government contracts.
In addition to trying to identify the perpetrators and evaluate the scale of the stolen material, the government inquiries have prompted concerns about why computer detection alarms inside the company failed to quickly notice the hackers and whether federal agencies that hired the company should have monitored its practices more closely.
Former employees of the firm, whose full name is U.S. Investigations Services LLC, also have raised questions about why the company and the government failed to ensure that outdated background reports containing personal data weren't regularly purged from the company's computers. A computer forensics analysis by consultants hired by the company's lawyers defended USIS' handling of the breach, noting it was the firm that reported the incident.
USIS reported the cyberattack to federal authorities on June 5, more than two months before acknowledging it publicly. The attack had hallmarks similar to past intrusions by Chinese hackers, according to people familiar with the investigation. Last March, hackers traced to China were reported to have penetrated computers at the Office of Personnel Management, the federal agency that oversees most background investigations of government workers and has contracted extensively with USIS.
For many people, the impact of the USIS break-in is dwarfed by recent intrusions that exposed credit and private records of millions of customers at JPMorgan Chase & Co., Target Corp. and Home Depot Inc. But it's significant because the government relies heavily on contractors to vet U.S. workers in sensitive jobs. The possibility that national security background investigations are vulnerable to cyber-espionage could undermine the integrity of the verification system used to review more than 5 million government workers and contract employees.
Last month, the leaders of the Senate Homeland Security and Governmental Affairs Committee, Tom Carper, D-Del., and Tom Coburn, R-Okla., pressed OPM and DHS about their oversight of contractors and USIS' performance before and during the cyberattack.
The Office of Personnel Management and the Homeland Security Department indefinitely halted all USIS work on background investigations in August. OPM, which paid the company $320 million for investigative and support services in 2013, later decided not to renew its background check contracts with the firm. The move prompted USIS to lay off its entire force of 2,500 investigators.
A company spokesperson complained that the agency has not explained its decision. Representatives from OPM and DHS declined comment. Last month, the federal Government Accounting Office ruled that Homeland Security should re-evaluate a $200 million support contract award to USIS. The GAO advised the department to consider shifting the contract to FCi Federal, a rival firm, prompting protests from USIS.
Federal officials familiar with the government inquiries said those assessments raised concerns that USIS' computer system and its managers were not primed to rapidly detect the breach quickly once hackers got inside. The computer system was probably penetrated months before the government was notified in June, officials said.
Cybersecurity experts say attacks on corporate targets often occur up to 18 months before they are discovered and are usually detected by the government or outside security specialists. Still, USIS noted its own security preparations "enabled us to self-detect this unlawful attack." Padres said the hackers attacked a vulnerable computer server in "a connected but separate network, managed by a third party not affiliated with USIS." He did not identify the outside company.
Former USIS employees who worked with the federal personnel office said the system they used directed users to purge old reports. But the workers said USIS and OPM rarely followed up with spot checks. Employees who worked on systems with the Homeland Security Department said these had no similar automatic warning function and spot checks were rare. The company insisted spot checks were regularly performed.
Several former USIS workers said they were told nothing by the company about the cyberattack for two months after the breach was exposed. In emails obtained by the AP, company workers were ordered to change their passwords without explanation. The USIS spokesperson said the government directed the company's decision to keep silent about the breach. Experts said companies often withhold such information for both security and management reasons. "Employees may not like it," Paller said, "but from a business perspective, that's what companies do."