US contractor firm that vetted Snowden suffers major breach; data likely snatched

US contractor firm that vetted Snowden suffers major breach; data likely snatched

Summary: A major contractor of the US Dept. of Homeland Security suffers a major breach, months after it was accused of faking hundreds of thousands of background checks.

SHARE:
TOPICS: Security
14
dhs-hero
(Image: US Government/Dept. of Homeland Security)

A contractor working for the US Dept. of Homeland Security has suffered a data breach, which likely led to the leak of personal employee information.

USIS, a private company that conducts background checks on behalf of the government agency, has been suspended until the Federal Bureau of Investigation (FBI) conducts its investigation, The Washington Post reported on Wednesday.

Special Feature

IT Security in the Snowden Era

IT Security in the Snowden Era

The Edward Snowden revelations have rocked governments, global businesses, and the technology world. When we look back a decade from now, we expect this to be the biggest story of 2013. Here is our perspective on the still-unfolding implications along with IT security and risk management best practices.

Other agencies have also suspended their work with the company out of "caution," the newspaper said, citing senior Obama administration officials.

Homeland Security said after forensic analysis that some of its personnel had been affected, leading to concerns that employee data may have been stolen.

It's unclear if that affects those who are vetted by the company.

Although the US Computer Emergency Readiness Team, known as US-CERT, is carrying out an assessment of the breach, the cause of the data leak is not being speculated.

The Falls Church, Virginia-based company is said to handle the overspill of background checks on behalf of the US government. While the Office of Personnel Management vets the bulk of its likely employees, other government departments — like Homeland Security — employ third-party companies to assist.

USIS came under fire earlier this year after it came to light that it conducted background checks on Edward Snowden, the former US government contractor who leaked tens of thousands of classified documents to Glenn Greenwald, who published details of the National Security Agency's surveillance capabilities.

The company was also accused by the US Department of Justice of faking more than half a million background checks, including the so-called Washington Navy Yard shooter Aaron Alexis.

Topic: Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

14 comments
Log in or register to join the discussion
  • More inappropriate outsourcing.

    Vetting for security clearances should be done by the FBI, not private contractors (investigation *is* the FBI's core competence).
    John L. Ries
    • On second thought...

      ...as long as the DHS has its own detective agency, perhaps the Secret Service can vet clearance candidates for that department.

      In any case, the profit motive should have no role in what amounts to police work.
      John L. Ries
      • Rent-a-cop's...

        ...are fully capable of drumming up their own business in the private sector; they don't need to get fat off of government contracts.
        John L. Ries
    • That's how it used to be...

      Back when I was still in the Army (mid-60s to mid-70s), that's how it was -- mostly. The FBI did what was called a Local Agency Check through their files and then an agent would check with local law enforcement to see what they had. That was considered enough for a Secret clearance. But for Top Secret (especially sensitive code-word access), the military or government agency would do an in-depth investigation as the FBI probably didn't have the background to know the appropriate markers to look for when doing an investigation.

      Did it work? Well, I don't recall any major security breaches back then -- except for those who became spies after they got their clearances, of course.
      RangerJimK
      • The FBI does counterintelligence...

        Giving it at least some of the background required to do an in depth investigation. And the CIA can be consulted as to whether any foreign intelligence they might have would suggest a possible problem with the applicant.
        John L. Ries
  • part of the problem

    in a representative democracy (that is, a republic) it is necessary for the electorate to have access to ACCURATE information with regard to what their government is doing in their presumptive behalf; without such information, the notion of a democratic system (governing by consent of the governed) is basically pointless. If we are ignorant, how can we make intelligent voting decisions (or other forms of support of government programs, candidacies and issue decisions)?
    If "secrets" are kept from us, how do we know that these secret acts are actually in our best interests, and are not, in actuality, feathering the nest of some "insider" whom we have merit-less-ly placed our trust?
    ta1
    • There is a balance to be struck

      The general consensus is that it is unwise to let potential enemies know too much about what our military and intelligence services are doing; and that it's hard to get candid advice if it's likely to show up in tomorrow's news.

      Perhaps you disagree. Care to explain why?
      John L. Ries
  • The process is more structured than most realize

    USIS contractor's do not award clearances, they perform the footwork analysis for that adjudication. Additionally, the adjudication information is not kept on USIS systems. In respect to the employee information compromised it would be USIS workers and not the vetted records. It was the practice for a government security officer to review and award the actual adjudication in higher security levels and monitor and audit for mundane public trust.

    I'm not carrying the water or anything just stating the clarification that agency employee vetting information would not be on USIS systems, USIS employee information would be. I could see the USIS employee having a reference to their security level, but no SF86 etc information should be retained. The online software that is used encrypts that information before it is sent for archiving in rest format even in the event it was.
    cdaringer@...
    • Nevertheless

      I fail to see the benefit of paying outsiders to vet clearance applications when the federal government has a perfectly good detective agency (called the "Federal Bureau of Investigation") with many decades of experience in the area. And unlike outsiders, the FBI doesn't have a financial incentive to cut corners, or to pay lobbyists to create more work for itself.
      John L. Ries
  • re John ries

    Wrong on many accounts - USIS does not grant clearances - the FBI does not have the manpower to conduct 1,000,000 investigations, many of the contractors are prior law enforcement, including Federal agents, that are fully capable and are solid, conscientious and honest., The FBI agent gets paid 125k plus benefits while the contract investigator gets from 38 or 70k per year. Do you really want to pay an FBI agent to go to a Dunkin Donuts or your local flower shop to check to see if the applicant really worked there for 6 weeks or talk to two neighbors to see if the guy really lived there? The system is flawed, not the workers. Try to learn what is involved in a security clearance background and what the Feds (OPM) require before you fault the contractor and assume any Federal employee can do better.
    nac1013
    • If the FBI doesn't have enough personnel...

      ...it would be because Congress is spending the money on outsourcing instead of authorizing the hiring of additional people. And the people hired to do this don't necessarily have to be paid what field agents are.

      I agree the system is flawed, but the cure is in rationalizing the civil service system, rather than privatizing it. And I wasn't blaming the employees; rather, I primarily blame the politicians that are supposed to be in charge; and secondarily the idiots who have for the past 20 years been selling the dubious claim that privatization and outsourcing are good for whatever ails the Federal Government. Personally, I think it's driven more by partisan politics and ideology than economics.

      Why pay two sets of managers and a host of stockholders when you don't need to (except perhaps to steer taxpayer money to one's political allies)? It's not like government contracting has much to do with the free market.
      John L. Ries
      • For the record...

        ...I've worked in private industry my entire adult life, have never worked directly for government at any level, and did government contract work for almost exactly 6 months (software development). Military contracting put food on my family's table when I was growing up, but it was the honest variety (development of specific computer systems), rather than day-to-day tasks better performed by government employees.
        John L. Ries
      • The cure that will never come...

        "...but the cure is in rationalizing the civil service system, rather than privatizing it."
        ---
        I agree, but the time of well-run American government has passed. Pick your own villain for this occurrence, doesn't matter.
        sandmich
        • In which case...

          ...we all throw our hands up in despair. But I think more good will come from continuing to try than will come from giving up.
          John L. Ries