WASHINGTON – In a story Nov. 13 about former Department of Homeland Security official Christopher Cummiskey’s remarks about a computer breach at U.S. Investigations Services LLC, The Associated Press reported erroneously that Cummiskey said a DHS contract with the firmspecified rigorous computer security and data-management practices. Cummiskey said the contract did not specify those requirements.
A corrected version of the story is below:
Ex-DHS official warns of more USIS breach victims
Ex-DHS official says USIS breach likely affected other federal workers beyond Homeland agency
By STEPHEN BRAUN
A massive cyberbreach that compromised the private files of more than 25,000 Department of Homeland Security workers earlier this year also exposed data belonging to numerous workers at other federal agencies, a former senior DHS official said Thursday.
Christopher Cummiskey, who recently left his post as acting undersecretary for management at DHS, said Thursday that government investigators from several agencies are still identifying the precise numbers of those affected. He added the final tally could represent thousands more employees.
Cummiskey said that officials found similarities between the techniques used by intruders in the incident at U.S. Investigations Services LLC and during an earlier breach at the Office of Personnel Management that was later linked to Chinese hackers.
The USIS breach, which was reported by the company to government officials last June, was the first of a series of high-profile cyber intrusions in recent months that have alarmed congressional and computer security experts and raised calls for more government scrutiny and co-ordination. Late last month, hackers reportedly traced to Russia penetrated some White House computers. And a massive intrusion at the U.S. Post Office, reported just this week and also linked to China, compromised the data of as many as 800,000 postal workers.
Speaking at a cybersecurity forum at the Center for National Policy think-tank in Washington, Cummiskey said government agencies need to share information about breaches as soon as they are notified. He said DHS contracting officials were slow in alerting other agency officials to the severity of the USIS breach after the company reported the incident last June.
Cummiskey said that the hackers who struck at USIS penetrated through the company-designed data management system, known as Orion. He said it took months before the company noticed the intrusion and that once hackers gained entry, they easily moved from DHS workers to other government agency employees. There were no firewalls separating the files belonging to each agency, Cummiskey said.
“Once they were in, the hackers were able to pack their bags with anything they wanted,” Cummiskey said.
Cummiskey did not identify the other agencies that used the Orion system but a person familiar with USIS contracts said workers from at least one Department of Defence intelligence agency had private and financial data in that network. The person familiar with USIS contracts spoke anonymously because of an ongoing FBI criminal investigation into the breach.
A USIS spokeswoman declined to comment. The company previously said that the attack struck at a computer server run by an unidentified “third party.” The company also said earlier that cyberstrikes often take months to detect and that USIS’ computer systems had previously been reviewed and approved by OPM officials.
Cummiskey said that DHS’ contract with USIS was faulty because it did not specify rigorous computer security and data-management practices. He said investigators found that the compromised Orion system contained old background check reports that should have been deleted.
“There were too many old reports floating around,” Cummiskey said.