Did a flaw from the tech firm SAP bare government secrets for hackers to steal? Or was it a security company's neglect?
Last fall, the U.S. Office of Personnel Management ended a contract with a Falls Church, Va., security contractor, U.S. Investigations Services L.L.C., after the company said it had "identified an apparent external cyber-attack on USIS's corporate network," in which personnel files for at least 27,000 federal employees were stolen by hackers later traced to China.
"We are deeply disappointed with OPM's decision, particularly given the excellent work our 3,000 employees have delivered on these contracts," USIS said. It had to shut the business group that served OPM, laying off 1,200 workers in Grove City, Pa., and more than 1,300 elsewhere.
In May - after OPM disclosed that it had been hit with a much larger hack, in which as-yet unidentified data thieves grabbed information on 18 million military and federal employees - a review of the earlier hack by the New York-based security firm Stroz Friedberg showed that China-based hackers got into USIS's government records through "an SAP enterprise resource planning application," the technology-and-government publication NextGov.com reported.
The Washington newspaper the Hill also reported that "cyber-intruders got into the company through a glitch in software from tech firm SAP," which is based in Germany and employs more than 2,500 at its North American headquarters in Newtown Square.
Security hackers who make a living finding, publicizing, and helping clients patch potential vulnerabilities at SAP, Oracle, PeopleSoft, and other business-software systems have tried to make the most of the USIS breach.
"This is a real example of consequences incurred due to a single vulnerabilty in business-critical applications," the Washington-based hacker consultant Alexander Polyakov wrote in an e-mail promoting his security seminars. "This breach occurred due to an inherent vulnerability in the SAP system."
Neither USIS nor SAP will say directly whether the hackers got in through SAP systems. But SAP spokesman Andrew Kendzie stressed that the software company does not feel responsible, in a world of constantly evolving security threats, for a client's failure to update SAP systems once they are in place.
"We regularly issue security patches," Kendzie said. "Although we strongly urge customers to implement those patches in a timely manner, we often do not have control over whether patches are implemented." By government contractors or anyone else.
Once a government agency, USIS was spun off under President Bill Clinton in a cost-cutting move. It is a subsidiary of the government- security contractor Altegrity Inc., owned by the private-equity giant Providence Equity Partners and formerly by Carlyle Group, big investors that squeeze earnings and fees from the contractors to which the federal government has outsourced much of its cybersecurity apparatus.
SAP investors have taken the revelations in stride: Shares did not move in reaction to the disclosures. It was the data security company - the software user - that lost the contract, not the software provider.