Contractor denies culpability for hack of government networks

The government’s major background check contractor on Wednesday denied reports that hackers used data stolen from its networks to conduct perhaps the largest federal data breach ever.

Suspected Chinese hackers were discovered in KeyPoint Government Solutions last September, exposing background check files on over 40,000 federal employees.

ADVERTISEMENT

According to recent reports, federal investigators believe the digital intruders also picked up electronic credentials from KeyPoint that helped them break into the Office of Personnel Management (OPM) in December, gaining access to 4.2 million federal workers’ data.

“I would like to make clear that we have seen no evidence suggesting KeyPoint was in any way responsible for the OPM breach,” said KeyPoint CEO Eric Hess during a House Oversight and Government Reform Committee hearing on Wednesday.

But it does appear that a KeyPoint employee’s credentials were stolen, just while that employee was on the OPM system.

“To be clear, the employee was working on OPM’s systems, not KeyPoint’s,” Hess said.

OPM Director Katherine Archuleta acknowledged in testimony Tuesday that a KeyPoint credential was indeed used to access the OPM networks.

However, she added, "we don't have any evidence that would suggest that KeyPoint as a company was responsible or directly involved in the intrusion.”

Lawmakers on Wednesday didn’t take kindly to Hess’s distinction.

“Did that KeyPoint employee have OPM credentials as part of his or her scope of employment within KeyPoint?” asked Rep. Matt Cartwright (D-Pa.).

Hess agreed.

“You understand under traditional concepts of the law, KeyPoint is responsible for the acts of its employees acting within the scope … of their employment,” Cartwright concluded.

“I’m not familiar with that,” Hess replied.

Rep. Elijah Cummings (D-Md.), the committee’s ranking member, lashed out at Hess for evading congressional inquiries. Cummings has been leading the charge to get KeyPoint to testify before or meet with the Oversight Committee.

“For months there was a back-and-forth because you all did not want to agree to the scope of the meeting,” he said angrily.

Cummings and other lawmakers pressed Hess to provide full responses to all of the committee’s questions.

“I will take that back to my team,” Hess said, touching off a testy exchange with Oversight Committee chairman Jason ChaffetzJason ChaffetzElijah Cummings, Democratic chairman and powerful Trump critic, dies at 68 House Oversight panel demands DeVos turn over personal email records The Hill's Morning Report - Presented by JUUL Labs - Trump attack on progressive Dems draws sharp rebuke MORE (R-Utah).

“You’re the CEO,” Chaffetz responded. “You want me to issue a subpoena?”

“I’m trying to be helpful, chairman,” Hess replied.

The OPM has not explained exactly how hackers compromised another agency database containing security clearance background investigation files. That second attack occurred a full year ago and has potentially exposed tens of millions of people's data.