A powerful lawmaker is pressing KeyPoint Government Solutions for answers about and information on improvements it made in light of a data breach affecting more than 48,000 federal employees.
Rep. Elijah Cummings (D-Md.), ranking member of the Oversight and Government Reform Committee, gave KeyPoint 24 days to respond to 13 questions about its cyber vulnerability that OPM first made public in December.
“The data breach is particularly disconcerting given that it appears to be related to a similar data breach at another private company, USIS, that was also responsible for performing critical background check services for the federal government,” Cummings wrote in a letter to Eric Hess, CEO of KeyPoint Government Solutions, on Jan. 6. “As a leading provider of background check services for the federal government, it is imperative that KeyPoint’s systems have sufficient controls in place to properly safeguard the highly sensitive data it collects on federal employees through the course of its work. The increasing number and apparent sophistication of cyber attacks against companies tasked with conducting background checks for the U.S. government poses a clear and present danger to our nation’s security.”
KeyPoint Government Solutions is the largest private provider of background check services for the federal government.
In December, OPM said there was no evidence to confirm that KeyPoint lost sensitive information, but it was possible that personally identifiable information (PII) was exposed.
OPM did offer the impacted employees credit monitoring services at no charge.
KeyPoint’s data breach follows one suffered by USIS, which was first made public in August. That breach put at least 25,000 Homeland Security Department employees at risk of identity theft.
The back-to-back hacks on similar contractors concerns Cummings.
He wants KeyPoint Government Solutions to answer a series of questions by Jan. 30. Questions for information Cummings wants include:
A log of all successful cyber intrusions into the company’s networks in the last four years, including: a description of all data breaches the company has experienced within that time frame; the date, manner, and method by which the company first discovered the breaches, the dates the breaches were believed to have begun and ended and the types of data breached.
The individuals or entities suspected or believed to have caused the data breach at issue, and whether they have been reported to the appropriate law enforcement agencies;
A list of federal customers that may have been compromised in the data breach at issue;
The approximate number of federal employees that may have been affected by the data breach at issue, and the manner in which those employees were notified of the breach;
An explanation of why the company retained PII of federal workers;
A description of data protection improvement measures the company has undertaken since discovering the breach at issue.
Cummings also requested that KeyPoint Government Solutions’ chief information security officer or similar IT security professional provide him with a briefing by Jan. 26.
An email to KeyPoint Government Solutions seeking comment on Cummings’ letter was not returned.
KeyPoint’s data breach is just one of a growing number of agencies and federal contractors suffering cyber attacks. The departments of State, Energy, Veterans Affairs and Deltek all endured cyber attacks or data breaches over the last year.
Congress passed and President Barack Obama signed the Federal Information Security Modernization Act into law in December, which now requires agencies to notify lawmakers of a data breach within seven days.
The Office of Management and Budget also changed the federal data breach reporting requirements. It told the Government Accountability Office last year that it would be revising those notification requirements. The Homeland Security Department’s U.S. Computer Emergency Readiness Team in October issued new guidelines that take into account the type of breach. For example, unauthorized access continues to require notification within one hour of discovery or detection, but a denial of service attack requires notification within two hours and scans, probes and attempted access can be reported monthly.