The number of individuals victimized in a cyberattack on a major background investigation service is higher than previously reported, the House Oversight Committee’s top Democrat said Wednesday.
Rep. Elijah Cummings (D-Md.) reported that the initial estimate of 27,000 federal employees compromised in the breach of government contractor USIS is now believed to be a “floor, not a ceiling.”
“The actual number of individuals affected by the USIS data breach is still not yet known, but [government] experts believe that the personal information of many more federal employees may have been compromised,” Cummings said at a hearing.
The revised estimate was made by executive branch investigators during a Sept. 3 committee staff briefing on the USIS breach, Cummings said.
Wednesday’s hearing focused on the threat of hackers who find it easier to access third-party contractors and vendors and use that foothold to attack government agencies and other valuable targets.
A witness from the Government Accountability Office (GAO) urged agencies to do more to protect themselves.
Until they do, “federal systems and information, as well as sensitive personal information about members of the public, will be at an increased risk of compromise from cyber-based attacks and other threats,” said GAO Director of Information Security Issues Gregory C. Wilshusen in prepared remarks.
The USIS breach, referenced as an example of contractors’ vulnerability in the hearing, took place last year.
Experts believe that Chinese hackers were responsible, and said the attack echoed a previous intrusion at the Office of Personnel Management when the Chinese went after the files of tens of thousands of government workers with top-secret clearances.
Cummings has pressed for answers about the breach since last year, and claimed Wednesday that USIS has held back vital information.
“Unfortunately, investigating the USIS data breach has been particularly challenging because neither USIS nor its parent company, Altegrity, have fully complied with this committee's requests for answers,” Cummings said.
As part of the same effort, the Maryland Democrat has sought information from other breached companies, including Home Depot, Target and Kmart.