Cybersecurity

Top Dem: Background check contractors should testify on hack

Rep. Elijah Cummings (D-Md.) on Tuesday accused a major government contractor that performs background checks of refusing to appear before Congress as questions swirl about whether hackers used information stolen from the company to infiltrate federal networks.

In the last year, the top two outside firms conducting government background checks — U.S. Investigations Services (USIS) and KeyPoint Government Solutions — have been hacked.

{mosads}Officials have said privately that they are looking into whether information and electronic credentials picked up during one or both of those cyberattacks aided hackers in infiltrating the Office of Personnel Management (OPM).

Many believe the OPM hack has exposed up to 14 million people’s sensitive information. It’s thought to be the largest digital theft of government data ever.

The House Oversight and Government Reform Committee, on which Cummings is the top Democrat, looked into the OPM hack at a Tuesday hearing.

“Mr. Chairman,” Cummings said, referring to the panel’s chair, Rep. Jason Chaffetz (R-Utah). “I asked you to invite both KeyPoint and USIS representatives here to testify today. You agreed to invite USIS, but last night they refused, just as they have refused repeated requests for information over the past year.”

It’s imperative to get information from both companies to determine if they provided the pathway into the federal government, Cummings said.

“I do not say this lightly, Mr. Chairman, but I believe USIS and its parent company may now be obstructing this committee’s work,” he said.

During the hearing, OPM and Department of Homeland Security officials declined to confirm any type of link between the USIS and KeyPoint breaches and the OPM breach, citing the confidential ongoing investigation.

Cummings has indicated previously that the USIS breach maybe be worse than initially thought. He reported that the initial estimate of 27,000 federal employees compromised is a “floor, not a ceiling.”

The KeyPoint hack laid bare the computer files of over 40,000 federal employees.

After a classified briefing with administration officials later that afternoon, Cummings doubled down on his call.

“I now feel more strongly than ever that the Oversight Committee must hear directly from OPM’s two contractors — KeyPoint and USIS — either in transcribed interviews or in formal testimony before the committee,” he said.

Exiting the briefing, the committee’s chair, Rep. Jason Chaffetz (R-Utah), agreed with his colleague. 

“What’s going on with contractors is a very valid point, it’s something we should be looking at,” he told reporters, adding that he wasn’t sure what it would take to get them to testify.

“The point is well taken that contractors aren’t off the hook either,” Chaffetz said. “The federal government has to hold those contractors accountable, but when they do mess up, what’s the consequence?”

— Updated 4:26 p.m.