Security contractor breach not detected for months

WASHINGTON — A cyberattack similar to previous hacker intrusions from China penetrated computer networks for months at USIS, the government’s leading security clearance contractor, before the company noticed, officials and others familiar with an FBI investigation and related official inquiries told The Associated Press.

The breach compromised the private records of at least 25,000 employees at the Homeland Security Department and cost the company hundreds of millions of dollars in lost government contracts.

In addition to trying to identify the perpetrators and evaluate the scale of the stolen material, the government inquiries have prompted concerns about why computer detection alarms inside the company failed to quickly notice the hackers and whether federal agencies that hired the company should have monitored its practices more closely.

Former employees of the firm, U.S. Investigations Services LLC, also have raised questions about why the company and the government failed to ensure that outdated background reports containing personal data weren’t regularly purged from the company’s computers.

Details about the investigation and related inquiries were described by federal officials and others familiar with the case. The officials spoke only on condition of anonymity because they were not authorized to comment publicly on the continuing criminal investigation, the others because of concerns about possible litigation.

A computer forensics analysis by consultants hired by the company’s lawyers defended USIS’ handling of the breach, noting it was the firm that reported the incident.

The analysis said government agencies regularly reviewed and approved the firm’s early warning system. In the analysis, submitted to federal officials in September and obtained by the AP, the consultants criticized the government’s decision in August to indefinitely halt the firm’s background investigations.

USIS reported the cyberattack to federal authorities on June 5, more than two months before acknowledging it publicly. The attack had hallmarks similar to past intrusions by Chinese hackers, according to people familiar with the investigation. Last March, hackers traced to China were reported to have penetrated computers at the Office of Personnel Management, the federal agency that oversees most background investigations of government workers and has contracted extensively with USIS.

In a brief interview, Joseph Demarest, assistant director of the FBI’s cyber division, described the hack against USIS as “sophisticated” but said “we’re still working through that as well.” He added: “There is some attribution” as to who was responsible, but he declined to comment further.

For many people, the impact of the USIS break-in is dwarfed by recent intrusions that exposed credit and private records of millions of customers at JPMorgan Chase &Co., Target Corp. and Home Depot Inc. But it’s significant because the government relies heavily on contractors to vet U.S. workers in sensitive jobs. The possibility that national security background investigations are vulnerable to cyber-espionage could undermine the integrity of the verification system used to review more than 5 million government workers and contract employees.

“The information gathered in the security clearance process is a treasure chest for cyber hackers. If the contractors and the agencies that hire them can’t safeguard their material, the whole system becomes unreliable,” said Alan Paller, head of SANS, a cybersecurity training school, and former co-chair of DHS’ task force on cyber skills.

Last month, the leaders of the Senate Homeland Security and Governmental Affairs Committee, Tom Carper, D-Del., and Tom Coburn, R-Okla., pressed OPM and DHS about their oversight of contractors and USIS’ performance before and during the cyberattack.

Another committee member, Sen. Jon Tester, D-Mont., said he worried about the security of background check data, telling AP that contractors and federal agencies need to “maintain a modern, adaptable and secure IT infrastructure system that stays ahead of those who would attack our national interests.”

The Office of Personnel Management and the Department of Homeland Security indefinitely halted all USIS work on background investigations in August. OPM, which paid the company $320 million for investigative and support services in 2013, later decided not to renew its background check contracts with the firm. The move prompted USIS to lay off its entire force of 2,500 investigators. A company spokesperson complained that the agency has not explained its decision. Representatives from OPM and DHS declined comment.

Last month, the federal Government Accounting Office ruled that Homeland Security should re-evaluate a $200 million support contract award to USIS. The GAO advised the department to consider shifting the contract to FCi Federal, a rival firm, prompting protests from USIS.

In the private analysis prepared for USIS by Stroz Friedberg, a digital risk management firm, managing director Bret A. Padres said the company’s computers had government-approved “perimeter protection, antivirus, user authentication and intrusion-detection technologies.” But Padres said his firm did not evaluate the strength of USIS’ cybersecurity measures before the intrusion.

Federal officials familiar with the government inquiries said those assessments raised concerns that USIS’ computer system and its managers were not primed to rapidly detect the breach quickly once hackers got inside.

The computer system was probably penetrated months before the government was notified in June, officials said. Cybersecurity experts say attacks on corporate targets often occur up to 18 months before they are discovered and are usually detected by the government or outside security specialists.

Still, USIS noted its own security preparations “enabled us to self-detect this unlawful attack.”

Padres said the hackers attacked a vulnerable computer server in “a connected but separate network, managed by a third party not affiliated with USIS.” He did not identify the outside company.

Former USIS workers told the AP that company investigators sometimes stored old or duplicate background reports that should have been purged from their laptops. The reports contained sensitive financial and personal data that could be used for blackmail or to harm government workers’ credit ratings, the former workers said.

Former USIS employees who worked with the federal personnel office said the system they used directed users to purge old reports. But the workers said USIS and OPM rarely followed up with spot checks. Employees who worked on systems with the Homeland Security Department said these had no similar automatic warning function and spot checks were rare. The company insisted spot checks were regularly performed.

Several former USIS workers said they were told nothing by the company about the cyberattack for two months after the breach was exposed. In emails obtained by AP, company workers were ordered to change their passwords without explanation.

The USIS spokesperson said the government directed the company’s decision to keep silent about the breach. Experts said companies often withhold such information for both security and management reasons.

“Employees may not like it,” Paller said, “but from a business perspective, that’s what companies do.”

Talk to us

> Give us your news tips.

> Send us a letter to the editor.

> More Herald contact information.

More in Local News

Darryl Dyck file photo Mohammed Asif, an Indian national, conspired with others to bill Medicare for COVID-19 and other respiratory tests that hadn’t been ordered or performed, according to a U.S. Department of Justice press release.
Man sentenced to 2 years in prison for $1 million health care fraud scheme

Mohammed Asif, 35, owned an Everett-based testing laboratory and billed Medicare for COVID-19 tests that patients never received.

Snohomish County Fire District No. 4 and Snohomish Regional Fire and Rescue responded to a two-vehicle head-on collision on U.S. 2 on Feb. 21, 2024, in Snohomish. (Snohomish County Fire District #4)
Family of Monroe woman killed in U.S. 2 crash sues WSDOT for $50 million

The wrongful death lawsuit filed in Snohomish County Superior Court on Nov. 24 alleges the agency’s negligence led to Tu Lam’s death.

Judy Tuohy, the executive director of the Schack Art Center, in 2024. (Olivia Vanni / The Herald)
Director of Everett’s Schack Art Center announces retirement

Judy Tuohy, also a city council member, will step down from the executive director role next year after 32 years in the position.

Human trafficking probe nets arrest of Calif. man, rescue of 17-year-old girl

The investigation by multiple agencies culminated with the arrest of a California man in Snohomish County.

A Flock Safety camera on the corner of 64th Avenue West and 196th Street Southwest on Oct. 28, 2025 in Lynnwood, Washington. (Olivia Vanni / The Herald)
Everett seeks SnoCo judgment that Flock footage is not public record

The filing comes after a Skagit County judge ruled Flock footage is subject to records requests. That ruling is under appeal.

Information panels on display as a part of the national exhibit being showcased at Edmonds College on Nov. 19, 2025 in Lynnwood, Washington. (Olivia Vanni / The Herald)
Edmonds College hosts new climate change and community resilience exhibit

Through Jan. 21, visit the school library in Lynnwood to learn about how climate change is affecting weather patterns and landscapes and how communities are adapting.

Lynnwood City Council members gather for a meeting on Monday, March 17, 2025 in Lynnwood, Washington. (Olivia Vanni / The Herald)
Lynnwood raises property, utility taxes amid budget shortfall

The council approved a 24% property tax increase, lower than the 53% it was allowed to enact without voter approval.

Lynnwood
Lynnwood hygiene center requires community support to remain open

The Jean Kim Foundation needs to raise $500,000 by the end of the year. The center provides showers to people experiencing homelessness.

Logo for news use featuring Snohomish County, Washington. 220118
Vending machines offer hope in Snohomish County in time for the holidays.

Mariners’ radio announcer Rick Rizzs will help launch a Light The World Giving Machine Tuesday in Lynnwood. A second will be available in Arlington on Dec. 13.

UW student from Mukilteo receives Rhodes Scholarship

Shubham Bansal, who grew up in Mukilteo, is the first UW student to receive the prestigous scholarship since 2012.

Roger Sharp looks over memorabilia from the USS Belknap in his home in Marysville on Nov. 14, 2025. (Will Geschke / The Herald)
‘A gigantic inferno’: 50 years later, Marysville vet recalls warship collision

The USS Belknap ran into the USS John F. Kennedy on Nov. 22, 1975. The ensuing events were unforgettable.

Floodwater from the Snohomish River partially covers a flood water sign along Lincoln Avenue on Thursday, Dec. 11, 2025 in Snohomish, Washington. (Olivia Vanni / The Herald)
Photo gallery: Images from the flooding in Snohomish County.

Our photographers have spent this week documenting the flooding in… Continue reading

Support local journalism

If you value local news, make a gift now to support the trusted journalism you get in The Daily Herald. Donations processed in this system are not tax deductible.