Congressman wants answers on KeyPoint data breach

Much like U.S. Investigative Services before it, KeyPoint Government Solutions is now finding itself in congressional crosshairs thanks to a data breach that exposed personal information of nearly 50,000 government employees.

KeyPoint saw its background investigation business with the Office of Personnel Management soar after OPM cancelled its contracts with USIS after it suffered a data breach, though USIS also had other issues weighing against it.

Rep. Elijah Cummings (D-Md.) has sent a laundry list of items to KeyPoint, wanting more information about the breach that occurred in the fall of 2014. Cummings is the ranking minority member on the House Government Oversight and Reform Committee.

The list of 13 items in the Jan. 6 letter includes requests for information on:

• All data security requirements that apply to federal contracts in effect at the time of the breach.
• A log of all successful cyber intrusions into the company’s networks in the last four years.
• Findings of forensic investigative analysis or reports about the data breach.
• Names of individual suspects or entities believed to have caused the data breach.
• A list of all federal customers potentially affected.
• An explanation of why the company kept personally identifiable information of federal workers.

Click here to read the entire letter and list of requested information.

KeyPoint declined to a request for comment on the letter or the breach.

When we first reported on the breach in December, Cummings said the incident “underscores the need for Congress to conduct oversight on areas where the government relies upon private sector companies to secure government-related information.”

Cummings also was a critic of USIS, which had been the government’s largest provider of background investigations. USIS suffered a breach and OPM cancelled its contracts. The data breach was the last straw of sorts for USIS, which had been a source of controversy for more than two years because of its involvement in the background investigations of NSA leakers Aaron Alexis and Edward Snowden. It’s also the target of a Justice Department investigation.

Cummings is right to ask the questions he’s asking, but we need something more. Perhaps a stronger reporting requirement, but one that also protects the companies who are doing the reporting.

There’s likely not a government contractor out there that hasn’t been a target of hackers, so it was very chilling when USIS was shut down because it reported its breach. Companies need to be encouraged to share information, and to do so without fear of reprisals.