US House terminates deal with iConstituent after company waited days to raise ransomware alarm

The constituent communication platform was hit with a ransomware attack in May and waited nearly a week to notify government officials.

The Office of the Chief Administrative Officer (CAO) -- which provides support services to US House members of both parties -- sent a letter to members of Congress announcing that it has terminated all contracts with iConstituent and will no longer be authorizing the platform's use because of multiple cybersecurity incidents. 

iConstituent is currently used by about 60 House members and was designed to facilitate communication between politicians and local residents. But in May the platform was hit with a ransomware attack and Chief Administrative Officer of the House Catherine Szpindor told Punchbowl News that the attack targeted iConstituent's e-newsletter system, which House members buy access to.

Szpindor added at the time that no data from the House had been taken or accessed and the network used by the House was not affected.

But in a letter to House members first obtained by CNN's Melanie Zanona, the CAO ripped into iConstituent for multiple security incidents -- some that had not been reported before -- and for their lackluster response to questions from government officials. 

On Tuesday, iConstituent was notified that its contracts have been terminated and that the platform will no longer "be authorized to provide CMS, Maintenance, Systems Administration, or Web services to House offices," according to the letter.

House members will have until December 31 to move off of the iConstituent platform. 

"The CAO is taking this action because of multiple cybersecurity incidents involving iConstituent over the past several years. The CAO recognizes this will significantly impact your Office's operations. The CAO did not come to this decision lightly," the letter said, adding that they would provide members of Congress with help in finding replacement systems. 

iConstituent will still be providing its services to Congress while members transition to other approved vendors. 

The letter explains that part of what caused the cancellation was iConstituent's response to the ransomware attack in May. 

According to the CAO, iConstituent waited nearly a week before informing government officials of the ransomware attack on their e-Newsletter service. 

"This delay in notification was a serious violation of iConstituent's contractual requirements designed to protect Member and constituent information," the CAO said. 

"The CAO's efforts to obtain additional details from iConstituent since then have been met with conflicting and inconsistent information, further delays, and an overall lack of transparency. While iConstituent has represented that no House information was impacted as a result of the ransomware attack -- and the CAO has no evidence to contest that conclusion -- the circumstances of the attack and iConstituent's response raise irreparable doubts about their ability to securely deliver technology services to the House."

The letter goes on to detail multiple iConstituent cybersecurity incidents, including ones in July 2013 and November 2018 where the platform either "failed to secure House web data" or experienced compromise of their eNewsletter platform.

The platform compromise happened because iConstituent did not apply "critical" patches to their system, according to the CAO. In the 2018 incident, the root passwords of multiple websites were exposed to the public-facing internet.

The CAO said it previously punished iConstituent by withholding payments and banning the company from taking on any more members of Congress as clients. 

"Based on this latest incident, the vendor still does not appear to have meaningfully improved their security practices," the CAO said. 

A list of resources and options were provided to House members at the end of the email and administrators pledged to contact each office to help with the transition process.  

Despite the actions taken by the House, iConstituent is still used widely across state governments in Nevada, Georgia, Hawaii and cities like Los Angeles. The New York State Assembly also has a contract with the company for services.