A powerful lawmaker is pressing KeyPoint Government Solutions for answers about and information on improvements it made in light of a data breach affecting more than 48,000 federal employees.
Rep. Elijah Cummings (D-Md.), ranking member of the Oversight and Government Reform Committee, gave KeyPoint 24 days to respond to 13 questions about its cyber vulnerability that OPM first made public in December.
“The data breach is particularly disconcerting given that it appears to be related to a similar data breach at another private company, USIS, that was also responsible for performing critical background check services for the federal government,” Cummings wrote in a letter to Eric Hess, CEO of KeyPoint Government Solutions, on Jan. 6. “As a leading provider of background check services for the federal government, it is imperative that KeyPoint’s systems have sufficient controls in place to properly safeguard the highly sensitive data it collects on federal employees through the course of its work. The increasing number and apparent sophistication of cyber attacks against companies tasked with conducting background checks for the U.S. government poses a clear and present danger to our nation’s security.”
KeyPoint Government Solutions is the largest private provider of background check services for the federal government.
Insight by Leidos: In this exclusive executive briefing, executives will discuss their approach to whole-person health care.
In December, OPM said there was no evidence to confirm that KeyPoint lost sensitive information, but it was possible that personally identifiable information (PII) was exposed.
OPM did offer the impacted employees credit monitoring services at no charge.
KeyPoint’s data breach follows one suffered by USIS, which was first made public in August. That breach put at least 25,000 Homeland Security Department employees at risk of identity theft.
The back-to-back hacks on similar contractors concerns Cummings.
He wants KeyPoint Government Solutions to answer a series of questions by Jan. 30. Questions for information Cummings wants include:
Cummings also requested that KeyPoint Government Solutions’ chief information security officer or similar IT security professional provide him with a briefing by Jan. 26.
An email to KeyPoint Government Solutions seeking comment on Cummings’ letter was not returned.
KeyPoint’s data breach is just one of a growing number of agencies and federal contractors suffering cyber attacks. The departments of State, Energy, Veterans Affairs and Deltek all endured cyber attacks or data breaches over the last year.
Congress passed and President Barack Obama signed the Federal Information Security Modernization Act into law in December, which now requires agencies to notify lawmakers of a data breach within seven days.
The Office of Management and Budget also changed the federal data breach reporting requirements. It told the Government Accountability Office last year that it would be revising those notification requirements. The Homeland Security Department’s U.S. Computer Emergency Readiness Team in October issued new guidelines that take into account the type of breach. For example, unauthorized access continues to require notification within one hour of discovery or detection, but a denial of service attack requires notification within two hours and scans, probes and attempted access can be reported monthly.
Want to stay up to date with the latest federal news and information from all your devices? Download the revamped Federal News Network app