The computer files of more than 40,000 federal workers may have been compromised by a cyberattack at federal contractor KeyPoint Government Solutions, the second breach this year at a major firm handling national security background investigations of workers at federal agencies, the government confirmed Thursday.
Concerned that some data might have been exposed, the Office of Personnel Management has begun notifying the workers that their files were in jeopardy. Nathalie Arriola, speaking for the personnel office, said it will offer credit monitoring at no cost to those affected by the breach.
KeyPoint became the largest private clearance firm working for federal agencies several months ago after rival contractor USIS lost its investigations business with the government following a devastating cyberattack reported earlier this year. The USIS breach, similar to previous hacking episodes traced to China, tainted the files of at least 25,000 Department of Homeland Security workers and prompted the personnel office's decision to halt all of USIS' government field work. That move led to the cancelation of more than $300 million in contracts with USIS.
Cyberattacks have targeted several other federal agencies this year. A wide-ranging strike reported in November compromised the data of more than 800,000 Postal Service workers. The personnel office itself was targeted earlier by cyberhackers traced to China.
Arriola said Thursday her agency is continuing to work with KeyPoint despite the severity of the strike. "KeyPoint has worked closely with OPM to implement additional security controls," Arriola said.
In an earlier email within the agency, Donna Seymour, the chief information officer, said KeyPoint had added "numerous controls to continue to conduct business with the company without interruption." In the USIS breach, that firm and the OPM differed over how extensively USIS needed to upgrade its computer network and security safeguards. The disagreement led to the suspension of USIS field investigations.
Neither Arriola nor Seymour said when the latest strike occurred or was reported to federal authorities, or whether a foreign state was suspected. Colorado-based KeyPoint declined comment through a public affairs firm.
Arriola said officials recently concluded an investigation into the KeyPoint breach and found "no conclusive evidence to confirm sensitive information was removed from the system."