Hackers hit OPM background investigations contractor

Hackers have gone after KeyPoint Government Solutions and its main customer, the Office of Personnel Management, is issuing a warning that nearly 50,000 people may have had their information compromised.

An OPM spokeswoman said that the agency has concluded an investigation of the breach and is notifying 48,439 people whose personally identifiable data may have been breached.

The agency is taking the action “out of an abundance of caution,” the spokeswoman said.

The investigation could not find conclusive evidence that sensitive information was removed from KeyPoint’s system.

An attempt to reach KeyPoint for comment was not successful.

KeyPoint provides background investigations for OPM as part of the security clearance process. It saw that business grow exponentially this year after OPM cancelled the contracts held by U.S. Investigative Services.

USIS also had its systems hacked. The hacking gave OPM the opening to cancel USIS contracts after two years of controversy involving USIS. The company provided the background investigations for NSA leaker Edward Snowden and Navy Yard shooter Aaron Alexis.

USIS also is under a Justice Department investigation into allegations that it claimed investigations were complete when they were not. The company has undergone a complete overhaul of its management team and process since those allegations were lodged. [The company also defended itself in a myth buster memo on its website.]

When USIS had its breach, it reported the issue to OPM and the Homeland Security Department. Within a short time, OPM suspended the work with USIS and then canceled the contract, forcing the company to close that part of its business and lay off 3,000 workers.

KeyPoint was tapped to step in and take over the background investigation work.

But weaknesses in the systems holding personal information apparently are well known.

In October, FCW.com reported that Customs and Border Protection had suspended background checks so that its vendors, including KeyPoint, could update their systems.

I’ve asked OPM when the breach at KeyPoint is alleged to have occurred but, so far, they aren’t commenting beyond their statement confirming that letters are going out informing people of the possible exposure of their data.

I’ve also asked for a comparison of the severity of the KeyPoint breach to the USIS breach given the differences in how OPM is handling the two incidents.

OPM is offering credit monitoring to those potentially exposed. KeyPoint also is working closely with the agency, OPM said, and has implemented additional security controls to give its networks greater protection.

In an email to OPM, agency CIO Donna Seymour wrote that "the immediacy with which KeyPoint was able to remediate vulnerabilities has allowed us to continue to conduct business with the company without interruption."

While it looks like OPM and KeyPoint's relationship is strong, the incident will likely bring more scrutiny from Capitol Hill, particularly from Rep. Elijah Cummings (D-Md.), the ranking member on House Government Oversight Committee. He has been a vocal critic of USIS.

"The recent data breach at KeyPoint Government Solutions emphasizes that this is a serious problem facing the federal government and private companies and underscores the need for Congress to conduct oversight on areas where the government relies upon private sector companies to secure government-related information," he said in a statement to Washington Technology.

He said he will ask that this be a priority of the committee.