Last fall, the U.S. Office of Personnel Management ended a contract with U.S. Investigations Services Inc., after USIS said it had "identified an apparent external cyber-attack on USIS' corporate network" in which personnel files for at least 27,000 federal employees were stolen by hackers later traced to China. "We are deeply disappointed with OPM's decision, particularly given the excellent work our 3,000 employees have delivered on these contracts," Virginia-based USIS said before shutting the business, laying off 1,200 workers in Grove City, Pa., and more than 1,300 elsewhere.
In May -- after OPM disclosed it had been hit with a much larger hack, in which as-yet unidentified data thieves collected information on 18 million military and federal employees -- a review of the earlier hack by the Stroz Friedberg security firm showed China-based hackers got into USIS's government records through "an SAP enterprise resource planning application" (ERP), NextGov.com reported after reviewing investigation reports. "The cyber intruders got into the company through a glitch in software from tech firm SAP that was likely used to run certain back-office operations, such as human resources," wrote The Hill here.
Neither USIS nor SAP would confirm to me that the hackers got in through SAP systems. But SAP spokesman Andrew Kendzie, in defending SAP's security provisions, stressed it doesn't feel responsible for clients' failure to keep updating: "We regularly issue security patches," he told me. "Although we strongly urge customers to implement those patches in a timely manner, we often do not have control over whether patches are implemented." By government contractors or anyone else.
Germany-based SAP's U.S. headquarters is in Newtown Square. USIS, once a government agency, was spun off under President Clinton in a cost-cutting move. It is a subsidiary of government-security contractor Altegrity, owned formerly by Carlyle Group and more recently by private-equity giant Providence Equity Partners.
Security hackers who make a living finding, publicizing and helping clients patch potential vulnerabilities at SAP, Oracle, PeopleSoft and other business software systems have been making the most of the USIS breach.
"This is a real example of consequences incurred due to a single vulnerabilty in business-critical applications," wrote Washington-based hacker consultant Alexander Polyakov in an email promoting his securities seminars. "This breach ocurred due to an inherent vulnerability in the SAP system."
SAP shares didn't move notably in the wake of the Stroz Friedberg revelations. "Customer security is a top priority for SAP," said Kendzie in a statement. SAP's "Secure Software Development Lifecycle" includes ongoing training, tools and updates SAP clients need to follow to keep up with evolving attacks and defenses.