A major U.S. contractor that conducts background checks for the Department of Homeland Security has suffered a computer breach that probably resulted in the theft of employees’ personal information, officials said Wednesday.
The company, USIS, said in a statement that the intrusion “has all the markings of a state-sponsored attack.”
The breach, discovered recently, prompted DHS to suspend all work with USIS as the FBI launches an investigation. It is unclear how many employees were affected, but officials said they believe the breach did not affect employees outside the department. Still, the Office of Personnel Management has also suspended work with the company “out of an abundance of caution,” a senior administration official said.
“Our forensic analysis has concluded that some DHS personnel may have been affected, and DHS has notified its entire workforce” of the breach, department spokesman Peter Boogaard said. “We are committed to ensuring our employees’ privacy and are taking steps to protect it.”
The intrusion is not believed to be related to a March incident in which the OPM’s databases were hacked, said officials, some of whom spoke on the condition of anonymity because they were not authorized to speak on the record. That intrusion was traced to China and none of the personal data, which was encrypted, was stolen.
In the DHS case, said a second senior administration official, “We have an inclination that, based on what the company has been telling us, there has been a spill. The degree to which that information has been exfiltrated for other purposes is what we’re trying to discern now.”
Officials said that, although the DHS encrypts the employee data it sends USIS, it’s unclear whether the data remain encrypted.
USIS, a Falls Church, Va., company, is the largest provider of background investigations for the federal government. It conducts checks for DHS employees and applicants who require security clearances. While the OPM manages the bulk of federal background investigations, some departments, such as Homeland Security, have authority to hire contractors for their own investigations, officials said.
Company officials said they recently discovered the penetration of the firm’s corporate network and informed the FBI, the OPM and other relevant agencies. “We are working collaboratively with OPM and DHS to resolve this matter quickly and look forward to resuming service on all our contracts with them as soon as possible,” the firm said in its statement.
The U.S. government and its contractors are a favorite target for hackers who are interested in obtaining sensitive data, ranging from employee information contracts to weapons-system designs.
In 2006, Chinese hackers breached the system of a sensitive Commerce Department bureau. Also that year, the State Department suffered an intrusion traced to China.
In recent years, hackers have penetrated systems at the Defense Department, the Navy and the Environmental Protection Agency. Last year, hackers stole personal data from more than 100,000 people from an Energy Department system.
The U.S. Computer Emergency Readiness Team (US-CERT), a component of DHS, is conducting an on-site assessment at USIS, including a forensic analysis. Officials said they are seeking to learn exactly what happened and who was behind the intrusion. US-CERT has also instructed the company on how to mitigate the breach, officials said.
Some lawmakers have announced they will investigate the breach. “It is extremely concerning that the largest private provider of background investigations to the government was hacked,” said Rep. Elijah E. Cummings (Md.), the ranking Democrat on the House Oversight and Government Reform Committee. “I am asking Chairman [Darrell] Issa to work with me in having our committee investigate this matter with the utmost urgency.”
The USIS breach “is very troubling news,” said Sen. Jon Tester (D-Mont.), a Homeland Security Committee member. “Americans’ personal information should always be secure, particularly when our national security is involved. An incident like this is simply unacceptable.”
Cummings and other lawmakers have been critical of DHS for recently awarding USIS a contract, worth up to $190 million, to provide services related to DHS’s immigration system. They noted the company is facing a lawsuit by a whistleblower and the Justice Department that accuses it of defrauding the government.
The suit alleges that USIS “dumped” or did not fully complete 665,000 background checks used for security clearances to hit revenue targets. Since the accusations have emerged, the company says it has hired a new management team and has enhanced oversight procedures.
USIS performed the background checks on Navy Yard shooter Aaron Alexis and on former National Security Agency contractor Edward Snowden.
Christian Davenport and Josh Hicks contributed to this report.