Chinese hackers roamed around unnoticed for months inside the networks of U.S. Investigations Services (USIS), the government’s main security clearance contractor, according to an Associated Press report.
Lawmakers have been pushing for answers about the breach, which exposed the records of at least 25,000 Department of Homeland Security (DHS) employees. USIS said in August that the incident had “all the markings of a state-sponsored attack.”
Characteristics of the intrusion mirrored a previous breach at the Office of Personnel Management (OPM) in March, when Chinese hackers went after the files on tens of thousands of employees with top-secret clearances.
{mosads}After the USIS breach was made public in August, the OPM said it would not renew its contracts with the company, worth roughly $320 million. USIS later laid off its 2,500 investigators.
The security checking company had already been a focal point of controversy.
In January, the Department of Justice alleged it took shortcuts on 40 percent of its background checks, roughly 665,000 in total. USIS blamed any malfeasance on “a small number of employees,” and pointed to changed leadership and enhanced oversight in response to the allegations.
Regardless, the company received a contract over the summer with the U.S. Citizenship and Immigration Services worth up to $190 million dollars, outraging lawmakers. The Government Accountability Office later ruled the government should reconsider the contract.
After the recent breach, the chairman and ranking member of the Senate Homeland Security and Governmental Affairs Committee pressed the DHS for details about USIS’s compromised records.
The incident “raises many questions about the safeguards contractors are taking to protect against cyber intrusions, as well as the oversight provided by the contracting agency,” said Sens. Tom Carper (D-Del.) and Tom Coburn (R-Okla.).
The two requested answers by Oct. 16. Neither office immediately responded to questions about what information they had received.
Carper is behind a bill that would set stricter guidelines for government agency information security policies.
The FBI has not officially confirmed the AP report, only acknowledging “there is some attribution” without specifying exactly who was responsible.
This story was updated at 8:02 p.m.