USIS Failed Both Primary Missions
USIS is the Federal Contractor that handles the personal information and background checks for people that need secret clearances to work in the Federal Government. As such, they really only have two primary goals: Actually do the background checks to make sure thieves, liars, traitors and crazy people dont get a clearance, and protect all of the personal data collected on individuals so that data wont fall into the wrong hands. And it seems that USIS sucks at doing either of those tasks.
From the AP here:
The internal records of as many as 25,000 Homeland Security Department employees were exposed during a recent computer break-in at a federal contractor that handles security clearances.
The official, who spoke on condition of anonymity to discuss details of an incident that is under active federal criminal investigation, said the number of victims could be greater. The department was informing employees whose files were exposed in the hacking against contractor USIS and warning them to monitor their financial accounts.
Earlier this month, USIS acknowledged the break-in, saying its internal cybersecurity team had detected what appeared to be an intrusion with “all the markings of a state-sponsored attack.” Neither USIS nor government officials have speculated on the identity of the foreign government.
USIS, once known as U.S. Investigations Services, has been under fire in Congress in recent months for its performance in conducting background checks on National Security Agency systems analyst Edward Snowden and on Aaron Alexis, a military contractor employee who killed 12 people during shootings at the Navy Yard in Washington in September 2013.
The Justice Department filed a civil complaint in January against USIS alleging that the firm defrauded the government by submitting at least 665,000 security clearance investigations that had not been properly completed and then tried to cover up its actions. USIS replied in a statement at the time that the allegations dealt with a small group of employees and that the company had appointed a new leadership team and enhanced oversight and was cooperating with the Justice probe.
It’s not immediately clear when the hacking took place, but DHS notified all its employees internally on Aug. 6.
So they didn’t do the background checks properly and didn’t bother to properly secure all of that personal information. Speculation is that a foreign government may now have complete dossiers on DHS employees- border agents, TSA agents, and even Coast Guardsmen. A smart attacker could use this information to pick out persons that are more likely to spill secrets. What could possibly go wrong?