Data breach exposes nearly 50,000 federal employees’ information

In the latest example of federal shortcomings in the realm of cybersecurity, nearly 50,000 employees may have had their sensitive information exposed during a data breach.

A serious attack
The breach occurred as the result of a cyberattack directed against KeyPoint Government Solutions, a federal contractor. Following detection, the Office of Personnel Management informed 48,439 federal employees that their personal information may have been exposed during the attack and offered these personnel free creditor monitoring. According to Nathalie Arriola, a spokesperson for the OPM, there is no conclusive evidence that sensitive information was removed from KeyPoint systems.

"As we examine the potential impact on DHS employees, we are committed to ensuring the privacy of our workforce and will take all appropriate measures to safeguard it," S.Y. Lee, a spokesperson for the Department of Homeland Security, told NextGov.

Contractor woes
KeyPoint Government Solutions provides interviews for and background checks on federal employees and other individuals who are looking to obtain security clearance. Naturally enough, this means that the contractor possesses a tremendous amount of personnel information on those federal employees it has investigated, making the organization a high-value target for cybercriminals.

As Deseret News reported, KeyPoint became the single largest private clearance firm working for the federal government earlier this year. Ironically, this happened because the previous contractor to fulfill this role, USIS, lost its U.S. agency contracts following another cyberattack. In that case, more than 25,000 DHS workers' files may have been exposed.

In the wake of the USIS breach, the DHS evaluated other background check firms and their cybersecurity capabilities, NextGov reported. This process eventually led the agency to select KeyPoint.

While the federal government severed its ties with USIS following its data breach, there are no plans to follow this same course of action in regard to KeyPoint.

"Following the discovery of the problem, KeyPoint implemented numerous controls to strengthen the security of its network," Donna Seymour, chief information office for the OPM, said in an email, NextGov reported. "The immediacy with which KeyPoint was able to remediate vulnerabilities has allowed us to continue to conduct business with the company without interruption."

Next steps
While this data breach occurred at a federal contractor, rather than a U.S. agency proper, it still represents a serious cybersecurity incident and suggests the need for revamped processes going forward. Most obviously, the DHS and other agencies should consider ways to revitalize and improve their third-party screening efforts, considering that KeyPoint was subjected to significant scrutiny in this area and yet still ultimately proved unable to adequately protect federal employee data.

One possible way for federal agencies to decrease the chances of a similar breach occurring in the future is by embracing stricter standards for all federal contracts handling sensitive U.S. information. While no strategy is completely invulnerable, the adoption of best practices and commitment to constantly evolving cybersecurity methods can vastly improve how well any given information is protected.  

This notion is not limited to federal contractors. In addition to the incidents affecting USIS and KeyPoint, federal agencies themselves have also suffered a number of data breaches in recent months. Perhaps most notably, both White House and State Department computer networks were infiltrated by hackers, most likely backed by foreign nations. 

All of these incidents highlight two trends. First, sensitive U.S. information, both personal and otherwise, is increasingly valuable to cybercriminals and hostile powers alike. Second, many current efforts to ward off these attacks are insufficient. 

Consequently, federal agencies should consider increasing their investment in cybersecurity initiatives. This should include both upgrading available tools and working with third-party consulting firms to optimize the use of these resources.