Security contractor breach not detected for months

Former employees of the firm, U.S. Investigations Services LLC, also have raised questions about why the company and the government failed to ensure that outdated background reports containing personal data were not regularly purged from the company’s computers.

Federal officials familiar with the case spoke about it only on condition of anonymity because they were not authorized to comment publicly on the continuing criminal investigation. Others with knowledge about the case requested anonymity because of concerns about possible litigation.

A computer forensics analysis by consultants the company’s lawyers hired defended USIS’ handling of the breach, noting it was the firm that reported the incident.

The analysis said government agencies regularly reviewed and approved the firm’s early warning system. In the analysis, submitted to federal officials in September, the consultants criticized the government’s decision in August to indefinitely halt the firm’s background investigations.

USIS reported the cyberattack to federal authorities June 5, more than two months before acknowledging it publicly. The attack had hallmarks similar to past intrusions by Chinese hackers, according to people familiar with the investigation. Last March, hackers traced to China were reported to have penetrated computers at the Office of Personnel Management, the federal agency that oversees most background investigations of government workers. It has contracted extensively with USIS.

In an interview, Joseph Demarest, assistant director of the FBI’s cyber division, described the hack as “sophisticated” but said “we’re still

For many people, the impact of the USIS break-in is dwarfed by recent intrusions that exposed credit and private records of millions of customers at JPMorgan Chase & Co., Target Corp. and Home Depot Inc. But it is significant because the government relies heavily on contractors to vet U.S. workers in sensitive jobs. The possibility that national security background investigations are vulnerable to cyber-espionage could undermine the integrity of the verification system used to review more than 5 million government workers and contract employees.

“The information gathered in the security clearance process is a treasure chest for cyber hackers. If the contractors and the agencies that hire them can’t safeguard their material, the whole system becomes unreliable,” said Alan Paller, head of SANS, a cybersecurity training school, and former co-chair of DHS’ task force on cyber skills.

(STORY CAN END HERE)

Last month, the leaders of the Senate Homeland Security and Governmental Affairs Committee, Tom Carper, D-Del., and Tom Coburn, R-Okla., pressed OPM and DHS about their oversight of contractors and USIS’ performance before and during the cyberattack.

Another committee member, Sen. Jon Tester, D-Mont., said he worried about the security of background check data, saying contractors and federal agencies need to “maintain a modern, adaptable and secure IT infrastructure system that stays ahead of those who would attack our national interests.”

The Office of Personnel Management and the Department of Homeland Security indefinitely halted all USIS work on background investigations in August. OPM, which paid the company $320 million for investigative and support services in 2013, later decided not to renew its background check contracts with the firm. The move prompted USIS to lay off its entire force of 2,500 investigators. A company spokesperson complained that the agency has not explained its decision. Representatives from OPM and DHS declined comment.