Breach at US security contractor exposed at least 25,000 workers

Breach at US security contractor exposed at least 25,000 workers

Summary: USIS, which performs background checks for the Department of Homeland Security, revealed that it was hacked earlier this month. The same company vetted Edward Snowden for the government.

SHARE:
25

Reuters is reporting that a data breach at Falls Church, Virginia-based US Investigations Services (USIS), reported earlier this month, exposed the personal data of at least 25,000 workers.

Special Feature

IT Security in the Snowden Era

IT Security in the Snowden Era

The Edward Snowden revelations have rocked governments, global businesses, and the technology world. Here is our perspective on the still-unfolding implications along with IT security and risk management best practices that technology leaders can put to good use.

USIS says that their internal security staff detected the breach which, experts say, "...has all the markings of a state-sponsored attack." DHS has suspended all work with USIS since the announcement of the breach.

An unnamed DHS official told Reuters that the Department plans to notify the employees that they may be "impacted" by the breach. Research into the breach continues and more records exposures may be revealed.

If the records contain personal information gathered in background checks it may expose some employees to blackmail.

USIS was in the news last year, having done the background check on Edward Snowden for his government work. At a congressional hearing last June into the Edward Snowden case, the inspector general for the Office of Personnel Management (OPM) told the committee that "we do believe there may be some problems" with the reinvestigation of Snowden in 2011.

Topics: Security, Government US

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

25 comments
Log in or register to join the discussion
  • Rather scary, this one...

    This breach is quite disturbing. If you know the sorts of things the security clearance applications require the applicant to provide, it's more than enough to not only steal identities, but to undermine careers and friendships.

    Passwords can be changed. Credit cards can be cancelled and reissued. This is far worse than that. Those applications require a detailed financial history of the past 5 to 10 years, educational history, the names and addresses of families, and friends, employment history, and more.

    How do you protect yourself, your family and your friends from the mischief that this information, in the wrong hands, makes possible.

    When you get a security clearance, you swear to protect all confidential information, and the penalties for unauthorized distribution of such information are severe. What is the penalty that USIS will face for exposing all that confidential personal information about those over twenty five thousand people who have applied for a security clearance?
    filker0
    • The usual penalty is loss of government contracts.

      There can also be penalties for "lack of performance" failures depending on how the contracts are worded.
      jessepollard
  • Something New Must Be Done

    We need to start mapping out every company that holds personal data to begin to understand what types of risks are out there. Then set a course for securing this data and holding those companies that gather and store this data responsible for breaches. Only then will you see something real done. By making it so financially devastating to suffer a breach will they responsibly store data.
    Medfordhouse
  • Sounds like another YAWF

    (yet another windows failure).

    As of 2007, it looks like they were running Windows...
    jessepollard
    • Uh...it's 2014.

      "As of 2007..."

      Seven years later.
      ye
  • This is not about which OS was running

    Who cares what OS they were running? This breach has the potential to negatively affect many lives. If this was a state sponsored attack, they would have the ability to break into almost anything. Besides, lots of these breaches are the result of human error such as phishing, poor configuration, etc. No OS could protect against that.
    mystic100
    • Breaches always have.

      And it doesn't matter whether it was state sponsored or not.

      It just shows that people have ALWAYS had the ability to break in.

      And yes, An OS CAN protect against that. Might not be able to eliminate stupidity, but making systems easier to configure is one step. Making systems secure to start with is another. And proper partitioning prevents the spread of things like phishing.
      jessepollard
  • Data hacked

    Prelude to job termination. These personnel have now been compromised. This portends a return to paper record keeping and stand alone computer systems.
    hocoalum
    • Not going to happen.

      Having been through the process three times that I know of (and likely two more that I don't).

      The paper process is too slow. My first one was that way... After the first four (five? not certain) months delay, the process was restarted. I was told later they found the first one on a desk inbox... and the person handling that inbox had taken a scheduled vacation before it arrived. The second process took an additional 4 months. By the time the paperwork had arrived (and clearance been issued) the contract was over. So the entire time was spent with a locally issued "interim" clearance...

      The second time was also a paper process, but a bit faster (having had a previous clearance). That one only took about 6 months (bigger backlog).

      The third one was just a transfer (I think it only needed a 3 year review), but still took 4 months.

      The LAST one was computerized. A US Marshal carried out the interview with data entered via a laptop. It STILL took 4 months (I understand they went back 15 years).

      Anything not disclosed that was discovered would have been grounds for immediate termination -- and possible arrest (perjury at a minimum).

      Just before that last time the backlog had grown to between 6 and 8 months delay before even STARTING an investigation.

      And remember - these investigations are for the entire government, including all military personnel, regular government employees, TSA, contractors to the government, even the janitors, construction workers, ...

      About the only people NOT investigated seems to be when the government buys a parking lot... after the parking lot has already been built.
      jessepollard
      • Excessive secrecy

        I wonder how much of this backlog is due to excessive secrecy and a tendency to over-classify information to hide it by governments.

        Also, many outside of government potentially have access to peoples personal records by virtue of their employment.
        Linux_Lurker
        • None.

          That is a different source of information, and a different group that defines the secrecy.

          These investigations are HR related.
          jessepollard
          • It is

            It is because the security requirements for jobs have been increased along with shorter reinvestigation times.
            Buster Friendly
  • This massive

    Security state that the government built is a house of cards. This is the tip of the iceberg we are seeing.
    Edwin_S
  • The Federal Record

    All one has to do is read history to understand what a folly it is to allow any govt the oversight of any sensitive or secure individual data.
    To think that half our country feels it's alright to provide them with our personal and confidential health information is sheer madness.
    TerrifiedCitizen
    • The goal has nothing to do with "sensitive or secure individual data"

      It DOES have to do with MAINTAINING the security of OTHER data.

      As in identifying people that can be trusted with access to potentially lethal information.
      jessepollard
    • This wasn't the government

      This was a private contractor working for the feds. It should give some pause to the "privatize everything possible because government can't do anything right" people, but probably won't.
      John L. Ries
      • As far as I know, the Obama Administration

        has not reversed any of the U.S. government and military privatization initiatives that date to the George W. Bush (and Dick Cheney) Administration or earlier.
        Rabid Howler Monkey
        • Noted

          Should have when it had the chance, but didn't. Consequence of weak Presidents combined with weak Congresses.
          John L. Ries
          • The best government that money can buy...

            :(

            In the presence of weak government, it is always whoever can pay to get their form of government. Thus "big business" always steps in to fill the vacuum.
            jessepollard
      • It's the government's responsibility

        It's the government's responsibility to monitor the contractors. Much of the work is done directly on OPM's systems too. Without knowing how the data was acquired, we really don't know who messed up.
        Buster Friendly