A new US government bureau created recently to manage security background checks on staff has hired a private company linked to the massive data breach at the Office of Personnel Management.
US officials confirmed the hiring of KeyPoint Government Solutions by the new National Background Investigations Bureau (NBIB), Reuters claimed.
An OPM spokesperson claimed the agency has already told Congress that a KeyPoint contractor’s log-ins were stolen by hackers and subsequently used to breach government systems, landing the attackers with a goldmine of sensitive security clearance information relating to federal employees.
The NBIB, which was created partially in response to that breach of over 22 million records, will apparently use KeyPoint staff and those from three other private sector firms to carry out field interviews for security clearance investigations.
Early last month a report from the House of Representatives Republicans slammed the OPM for failings which allowed suspected Chinese hackers to infiltrate its network.
However, in a strongly worded response, House Democrats from the same Committee on Oversight and Government Reform claimed the report failed to take account of the role played by contractors in the breach.
Specifically, they argued that “cyber requirements for government contractors are inadequate” and that “contract requirements for sharing information with private sector companies that handle sensitive government data need strengthening.”
A lack of two-factor authentication in particular has been reported as the Achilles heel for the OPM in this instance, despite recommendations from the Office of Management and Budget to get it up and running as soon as possible.
Contractors and other third party workers are often the weakest link in the security chain.
It’s believed that an HVAC worker’s credentials were stolen and used to breach US retailer Target.
What's more, last year, two government contractors agreed to pay over $12 million to settle a court case alleging they allowed employees to work on a Defense Department contract without security clearance.