According to Washington Technology, hackers have gone after Keypoint Systems, a contractor for The Office of Personnel Management that does background investigations for security clearances. If anyone has ever had a Department of Defense or other government security clearance, the information that you provide is extremely detailed. For example, for the DoD, the SF-86 form can be well over 100 pages when completed. OPM is notifying almost 50,000 people that their information may have been taken. May have because they don’t really know. I assume they don’t know because Keypoint did not have sufficient controls in place to tell what the hackers took. OPM says thay Keypoint is adding more controls as a result of the breach, but beyond that, they are saying very little.
Curiously, USIS, the contractor that OPM used to use and most famous for having performed Edward Snowden’s background investigation, was hacked this year also and the OPM cancelled their contract, causing them to lay off 3,000 employees. The fact that OPM is handling these two breaches very differently will no doubt get some attention on Capitol Hill.
It is more than a little disconcerting that two different contractors who handle security clearance investigations for the government this year were hacked. It says something about the (lack of) security requirements in the contracts that OPM is issuing for vendors.
They are the government so they can get away with a lot more than you or I can.
While it is fun to beat up the government, it is, unfortunately, like taking advantage of someone who is not very good at what they do.
The lesson to be learned here is that you should review whether or not you are effectively vetting the security of subcontractors and vendors that you use. Do your contracts have specifics regarding security practices, policies and technology? If what happened to Keypoint and USIS happened to you, it would likely have a large effect on your business. USIS had to shut down an entire division.