The largest union of federal employees says neither the Office of Personnel Management nor its recent government contractors were able to maintain adequate security for personal data developed as background checks were run on potential employees, and said these failures are a big reason why thieves were able to hack into OPM's system and steal information on millions of current and former workers.
The American Federation of Government Employees filed a class-action lawsuit against OPM on Monday that said OPM's historical failure to shore up its cybersecurity systems was a major problem. But it also said KeyPoint Government Solutions also needs to bear much of the blame, as this company had its own "cybersecurity weaknesses."
OPM Director Katherine Archuleta, who is also named as a defendant in the suit, testified before Congress recently that hackers accessed OPM's systems using a KeyPoint employee's credentials. KeyPoint doesn't dispute that narrative but maintains it is not responsible for attacks.
But AFGE's lawsuit says KeyPoint was a very weak link in the chain. The suit says that according to an unnamed forensic expert, KeyPoint "never set up logs," which means the company itself can't say how it was compromised.
"It's like if you go into a 7-Eleven and the security camera is not on," that expert said, as quoted by the lawsuit.
"The combination of KeyPoint's cybersecurity weaknesses and the OPM's cybersecurity failures caused the massive scope of the OPM breach," the union said in its suit. AFGE is seeking compensation for the data breach, which might have affected more than the 4.2 million people that OPM has confirmed so far.
KeyPoint's contribution to what many say is the largest data hack ever on the U.S. government is somewhat ironic. That company took on a heavy workload after its predecessor, U.S. Investigations Services, lost that work in 2014 after its own systems were breached.
KeyPoint didn't respond to a request for comment about the lawsuit. But AFGE said it doubted all along that KeyPoint would be able to seamlessly take over USIS's work.
"[B]ecause USIS's caseload was significant and involved 21,000 background checks a month, there was skepticism that any entity could cover the workload on 'short notice,' " the lawsuit said. It added that a former USIS senior investigator was asking at the time if KeyPoint could "handle the influx of these new employees and all the work that gets dumped on them by OPM."
According to the union, that skepticism was well-founded. "In the wake of the KeyPoint hack, and in view of the OPM breach, it has become apparent that KeyPoint and the OPM could not handle the workload and protect" government workers' personnel files "and other confidential information in an adequate and secure manner," the suit charged.
It also said better attempts by OPM to manage the workload of its contractors could have helped it avoid the breach.
Even before its problems at OPM, USIS was creating its own sordid history of working with the government. The company processed the security clearances of both National Security Agency leaker Edward Snowden and Aaron Alexis, who killed 12 people when he shot up the U.S. Navy Yard in 2013.
USIS is also the subject of a $1 billion Justice Department False Claims Act suit for collecting payment on 665,000 background investigations it allegedly never performed. And last year, a key House Democrat said the company was able to evade oversight as it worked with OPM.
"Inexplicably, USIS also had a separate contract with OPM to conduct additional quality reviews on behalf of the agency," Rep. Elijah Cummings said at a House Oversight and Government Reform Committee hearing on the matter held in February of 2014. "In other words, USIS was checking its own work."
OPM did not renew USIS' contracts when they expired last September.
OPM Inspector General Patrick McFarland has scolded the federal government's human resources department for lax security, poor contractor oversight and not following proper procurement procedures. But even after ditching USIS, McFarland couldn't say last month if the new company, KeyPoint, was doing any better when it comes to security.
"We do not know that at this time," he said when asked at the Senate Homeland Security and Governmental Affairs Committee.
Ann Barron-DiCamillo, director of the Homeland Security Department's U.S. Computer Emergency Readiness Team, told the House Oversight and Government Reform Committee last month that hackers got to OPM by accessing KeyPoint's networks.
"So during that time they were able to leverage certain malware to escalate privileges for the entry point," she said. "So they entered the network; we're not quite sure how because of a lack of logging."
That led Sen. Jon Tester, D-Mont., to ask McFarland if KeyPoint's contracts, like USIS's before it, should be terminated. "I have to have more information; I would not be able to answer that right now," he stated.
Despite that answer, Archuleta was more favorable to KeyPoint. "KeyPoint has taken the steps necessary to mitigate any security questions. They have been very active in working with us on that," she stated.
Aside from the issue of performance, the federal workers' union called out KeyPoint for having ties to other federal contracting bad actors.
For example, Veritas Capital is KeyPoint's parent company. Veritas, a private-equity firm, previously owned DynCorp, which the Office of the Special Inspector General for Iraq Reconstruction accused of improper billing.
Veritas also assumed MZM Inc., which was scandalized by allegations that its founder bribed disgraced former Rep. Duke Cunningham, R-Calif. MZM is now Athena Innovative Solutions and still very much in the contracting game.
KeyPoint has paid numerous defense luminaries to serve on various boards, including former Homeland Security Director Michael Chertoff, who served directly on the board of directors from 2009-20012, former Deputy Secretary of State Richard Armitage, and retired Gens. Richard Hawley, Barry McCaffrey and Anthony Zinni.