The massive cyberattack last year on the federal contractor that conducted background investigations for security clearances may have been even more widespread than previously known, affecting the police force that protects Congress and an intelligence agency that helped track down Osama bin Laden.
After Falls Church, Va.-based USIS suffered the intrusion, the Office of Personnel Management and the Department of Homeland Security issued stop-work orders to the company. And eventually OPM, which conducts background checks for the overwhelming majority of the federal government, canceled USIS’s contracts, effectively putting the company out of business.
But now USIS has told Congress in a letter obtained by The Washington Post that the breach may have been even more damaging: OPM, two DHS agencies — Customs and Border Protection, and Immigration and Customs Enforcement — the U.S. Capitol Police and the National Geospatial-Intelligence Agency were all hit.
The revelation comes as members of the House Committee on Oversight and Government Reform are scheduled on Wednesday to question leaders of USIS and KeyPoint Government Solutions, which is now one of the leading providers of security investigations. It was also hacked last year.
Separately, the committee has been concerned about major intrusions into OPM’s networks that were publicly disclosed in recent weeks. One affected the database for background checks for clearances; another involved the personnel records of more than 4 million current and former employees.
The committee wants to know if the attacks on the contractors led to the breaches at OPM. On Tuesday, Katherine Archuleta, OPM’s director, told a Senate hearing that hackers used a credential used by KeyPoint to breach the agency’s network.
“I want to be very clear that, while the adversary leveraged [a] compromised KeyPoint user credential to gain access to OPM’s network, we don’t have any evidence that would suggest that KeyPoint as a company was responsible or directly involved in the intrusion,” she said.
KeyPoint CEO Eric Hess said in prepared testimony for Wednesday’s hearings that “we have seen no evidence suggesting KeyPoint was in any way responsible for the OPM breach.”
He added, “KeyPoint is committed to ensuring the highest levels of protection for the sensitive information with which we are entrusted.”
In a statement to The Post, Rep. Elijah Cummings (D-Md.), the committee’s ranking member, said that contractors “have become a weak link in our nation’s security clearance process.”
“Based on this new information, the data breach at USIS appears much more damaging than previously known, affecting our intelligence community, our immigration agencies, and even our police officers here on Capitol Hill,” he said. “It is unclear why USIS withheld this information from Congress for so long, especially since I raised this question more than seven months ago.”
USIS and KeyPoint spokesmen declined to comment, and the National Geospatial-Intelligence Agency did not respond to a request for comment. After the breach was disclosed last year, both DHS and the Capitol Police said they notified all of their employees about the intrusion and took steps to protect their privacy.
During a hearing last week on the OPM breach, which has been linked to Chinese intruders, Cummings said one of the most critical questions was: “Did these cyber attackers gain access to OPM’s data systems using information they stole from USIS or KeyPoint last year?”
After a classified briefing on the matter, Cummings issued a statement that said he now feels “more strongly than ever” that the committee should hear from USIS and KeyPoint.
Cummings has been pressing the companies for more information for months but has had little luck and at one point accused USIS and its parent company of “obstructing this committee’s work.”
Robert Gianetta, USIS’s chief information officer, and Eric Hess, the chief executive of KeyPoint, are expected to appear before the committee on Wednesday along with Archuleta, the OPM director.
In response to questions submitted to the company in November, a USIS attorney provided an eight-page letter Tuesday, saying USIS discovered the breach itself and “consistently, openly and willingly shared information with the government regarding the cyber-attack.” It said it suffered the intrusion even though its security systems “met or exceeded requirements” imposed by the government.
USIS also has accused OPM of neglecting to share information that might have helped it detect its intrusion earlier. In addition to this year’s attack, OPM’s network was also breached months before the USIS attack.
The company also faces a whistleblower lawsuit alleging that it improperly “dumped” 665,000 background investigation cases, saying they had received a required quality review when in fact they had not. The suit, filed by Blake Percival, a former field work services director, and joined by the Justice Department, says the company rushed through the investigations in order to hit revenue incentive targets.
The Justice Department last week filed an objection to the bankruptcy plan of Altegrity, USIS’s parent company, saying that any damages awarded in the suit should not be erased by the bankruptcy.
Lisa Rein contributed to this report.