According to a consumer data breach notice filed with the Maine attorney general’s office, the attack was described as an “external system breach” and “hacking” that impacted more than 6,000 people. The alert came after the company discovered “anomalous activity in its email environment” on July 12, 2021, also according to a filing with New Hampshire’s attorney general. 

That notice said that either an “unauthorized” actor or actors obtained access to company email accounts between March 2 and July 13 of that year — though Chemonics couldn’t identify the specific emails that were impacted, the company said in the disclosure. “The investigation also found no conclusive evidence of data exfiltration, and we have no evidence of actual or attempted misuse of personal information,” the notice stated.

The extent to which different types of information were released is unclear. The Maine notification said that driver’s license numbers and non-driver identification card numbers were released. The New Hampshire notice said that emails with individuals’ names and social security numbers were revealed in the breach — though “financial account information without corresponding access codes” was also included in some emails. The legal website JD Supra wrote that “access credential information” was also accessed, but the author did not respond to FedScoop’s request regarding the source of that information. 

Chemonics isn’t answering questions about what steps it’s taken to address the potential impact of the event on USAID, which the company works with in myriad partner countries. Nor did the company address whether it reported the incident to the Cybersecurity and Infrastructure Security Agency, the type of information impacted, or whether it has suffered any other breaches. 

“We are continually adapting and updating our cybersecurity policies and procedures to ensure we are current with the ever-evolving cyber threat landscape that impacts us all,” a Chemonics spokesperson said in response to a series of questions from FedScoop. “While we cannot comment on any specific cybersecurity incident, we are committed to safeguarding all data entrusted to us.” 

The spokesperson continued: “It is our practice to work transparently and proactively with our staff, clients, and partner organizations who may be affected by any potential incident, including complying with applicable laws. Cybersecurity continues to be a priority focus for Chemonics as we seek to achieve meaningful development impact in complex contexts around the world.”

Turke & Strauss, a law firm specializing in data breaches, states on its website that it’s investigating the company over the incident. The firm declined to discuss their work on the topic.

Notably, Chemonics appears to have had three chief information security officers in the past three years, though the company did not answer FedScoop’s question about whether anyone held the position before October 2021, when an individual on LinkedIn said that they started the position. The data breach notifications written in 2021 came from Pete Souza, who was described at the time as the director of cybersecurity, infrastructure, and system administration at Chemonics.

Those impacted were provided identity theft protection from the company, as well as active credit monitoring, per the disclosures. Notices for residents of states including Vermont, Montana, Massachusetts, and other states are available online. 

In regard to the incident, CISA referred FedScoop to Chemonics. So did a USAID spokesperson, who only added the following: “USAID takes the security and confidentiality of all our partners very seriously. Strong cybersecurity practices and policies are critical to the success of USAID and its partners. “

Back in May 2021, the Russian-backed group Midnight Blizzard, which was previously called Nobelium, orchestrated a cyberattack by impersonating USAID through its Constant Contact email marketing service to send “malicious links” to organizations that worked with the agency. Chemonics did not address whether this breach was related to Midnight Blizzard or that particular incident. 

The post A major USAID contractor said it was hacked in 2021. It’s still not sharing details appeared first on FedScoop.

“While the Justice Department is not aware of any specific reports of identity theft or other fraud resulting from this incident, the Department has ensured that those impacted have been offered fraud resolution services and credit monitoring,” Wyn Hornbuckle, a DOJ spokesperson, said in an email to FedScoop. “The investigation of this matter is ongoing.”

The response from the DOJ follows a public disclosure of the Boston-based consulting firm’s  breach last week on the Office of the Maine Attorney General’s website. According to that disclosure, first reported by TechCrunch, Greylock McKinnon Associates experienced a cyberattack in May 2023 that likely compromised Medicare information of 341,650 people, including their social security numbers. 

That information was obtained by the Justice Department “as part of a civil litigation matter” and given to the firm, which provides litigation support, in its “provision of services to the DOJ in support of that matter,” according to a letter GMA sent to people affected by the incident.

In that letter, GMA said it “detected unusual activity on our internal network” last May and “promptly took steps to mitigate the incident.” The firm said it worked with a third-party cybersecurity specialist in its response, notified DOJ and law enforcement, and in February, received confirmation of who was affected and their contact information. 

Hornbuckle said the firm notified the DOJ of the breach in May, “after which the Department required that Greylock identify those affected and immediately began its own process to address the breach.”

GMA could not be reached for comment. 

The post DOJ ‘not aware of any’ identity theft, fraud following consultant’s data breach appeared first on FedScoop.

The Department of Health and Human Services (HHS) agency said in a statement Friday it is working with the Reston, Virginia-headquartered company to notify by letter any individuals who may have been affected by the breach.

“The Department of Health and Human Services (HHS) and the Centers for Medicare & Medicaid Services (CMS) have responded to a May 2023 data breach in Progress Software’s MOVEit Transfer software on the corporate network of Maximus Federal Services, Inc. ), a contractor to the Medicare program, that involved Medicare beneficiaries’ personally identifiable information (PII) and/or protected health information (PHI),” CMS said.

The agency’s statement comes after Maximus in a Wednesday SEC filing revealed that its corporate network was affected by the MOVEit ransomware attack, discovered in May, and that between 8 million and 11 million individuals may have had their information compromised.

In response to the incident, CMS and Maximus are sending letters to any Medicare recipients whose information may have been compromised and will offer free-of-charge credit monitoring services for 24 months.

No CMS or HHS IT systems were compromised as a result of the cyberattack.

Maximus is one of hundreds of private and public sector entities that have so far been affected by the MOVEit ransomware attack, which targeted customers of Progress Software’s file transfer tool.

Other companies compromised include energy giant Shell and U.S.-based First Merchants Bank. Cybersecurity company Telos, which provides services to the Department of Defense and the Department of State, has also been affected.

A Maximus spokesperson told FedScoop in a statement that “[d]ata privacy and security are among our top priorities, and we are committed to protecting the data entrusted to us.”

“On May 31, Progress Software Corporation announced a critical security vulnerability in MOVEit, their managed file transfer software, which is used by many companies, including Maximus. We quickly took measures to respond to the situation and are thoroughly investigating the issue,” the statement continued. “To be clear, we have not identified any impact from the MOVEit vulnerability on other parts of our corporate network and remain confident in the integrity of the network.”

The company added: “We have been working with the subset of our customers who were using MOVEit as part of their workflows and continue to provide updates and support to them as our investigation proceeds. We continue to closely monitor our systems for any unusual activity.”

The post Maximus data breach may have exposed information of 612,000 Medicare recipients, CMS says appeared first on FedScoop.

The trademark office said the data leak affected about 3% of the total number of trademark applicants filed during the three-year period and that the issue was fully fixed on April 1, without any data having been misused. 

“Upon discovery, the USPTO reported the data exposure to the Department’s Senior Agency Official for Privacy and it’s Enterprise Security Operations Center, which in turn reported the exposure to the Department of Homeland Security. As you are aware, the USPTO also notified affected parties of the exposure,” a USPTO spokesperson emailed FedScoop.

“The USPTO has no reason to believe that the data has been misused,” the spokesperson added.

U.S. law requires trademark applicants to include their private address when submitting an application in order to combat fraudulent trademark filings.

The trademark office said in a notice sent to all those impacted by the data leak that by April 1 the issue had been fully fixed by properly masking all of the private addresses and correcting all system vulnerabilities found.

The trademark office said that in February it discovered that private domicile addresses that should have been hidden from public view appeared in records retrieved through some application programming interfaces (APIs) of the Trademark Status and Document Review system (TSDR). The APIs are used in apps by both agency staff and trademark filers to access the TSDR system for checking the status of pending and registered trademarks.

Some private addresses also appeared on the bulk data portal of the USPTO website.

The trademark office highlighted that as a federal government agency, the USPTO does not have the same reporting requirements as a private company or a state or local agency would and does have a process whereby those who do not want their address to be shown publicly can request that it is not made public or they can waive the requirement altogether.

Details of the USPTO leak were first reported by TechCrunch.

The post US Patent and Trademark Office data leak exposed 61K private addresses  appeared first on FedScoop.

In the note, DOT said it was working to notify affected individuals whose personally identifiable information may have been compromised as a result of the breach and to help mitigate potential risks.

It said: “The data breach impacts individuals that are enrolled in the US Department of Transportation’s (DOT) transit benefit program (TRANServe).  TRANServe manages the transit benefit program for DOT and other federal agencies.  The breach occurred within the system that supports TRANServe.”

TRANServe is a commuting benefits system that reimburses staff across the federal government for certain transportation costs.

According to the email, information compromised as a result of the breach may include details such as the name of TRANServe transit benefit recipients, their agency, work email address, work phone number, work address, home address, SmarTrip card number, and/or TRANServe Card number.    

Details of the breach were first obtained on Friday by Reuters, which reported that the breach is expected to affect 114,000 current federal employees and 123,000 former federal employees.

According to the TRANServe program website, the TRANServe Parking and Transit Benefit System (PTBS) is currently down due to unscheduled maintenance.

The Transportation Department notified Congress Friday in an email obtained by Reuters that its initial investigation of the data breach has “isolated the breach to certain systems at the department used for administrative functions, such as employee transit benefits processing.”

In a statement to FedScoop, the Department of Transportation said: “The Office of the Chief Information Officer (OCIO) at DOT is continuing to investigate a data breach affecting the Department. The preliminary investigation has isolated the breach to certain administrative systems at the Department used for functions such as employee transit benefits processing.

The agency added: “It did not affect any transportation safety systems. With the support of other federal agencies, including CISA, the OCIO is addressing the breach and has suspended access to relevant systems while we further investigate the issue, and secure and restore the systems.”

The Transportation Department will make credit monitoring available to all current and former employees affected by the breach. The Office of Personnel Management will also offer to monitor the financial statements of those affected.

The maximum TRANServe benefit allowance is $280 per month for federal employee mass transit commuting cost.

Ben Freed contributed to this report.

Editor’s note, 5/16/23: This story was updated to include comment from the Department of Transportation.

The post Transportation Dept. cyber breach exposes data of federal employees appeared first on FedScoop.

The District of Columbia’s health insurance exchange confirmed Wednesday that it was working with law enforcement to investigate data posted on a public forum that was purportedly obtained by a breach of the exchange. It’s unclear how many individuals the alleged breach may have impacted.

A sample of the stolen dataset reviewed by CyberScoop indicates that the victims of the breach range from some of Washington’s K-Street powerbrokers to coffee shop employees. Both businesses and individuals can use the exchange to purchase health insurance policies, and among its customers are lobbying firms, civil society groups, a dentist office and a design firm. 

CyberScoop is not naming any of the affected individuals nor their employers, but the sample data set includes one firm that boasts a large number of employees who have gone on to work in the White House. The former defense official whose alleged personal data CyberScoop viewed is a mainstay of the city’s national-security establishment. Neither the firm nor the former official returned requests for comment.

Security experts caution that the consequences of a breach like this are difficult to predict. “The hard thing about this kind of data breach is it’s not just the data alone, it’s when you combine the data with other data sets that nation states or bad actors might have,” said Jamil Jaffer, founder and executive director of the National Security Institute at George Mason University. Jaffer called the breach “deeply concerning” especially given that it may affect members of Congress and their staff.

CyberScoop was able to verify portions of the dataset available in the public record and the authenticity of one victim’s leaked data. The Associated Press verified the authenticity of the data with two victims. It’s not clear what time frame the data obtained by the hacker spans. The leaked data includes names, email addresses, dates of birth, home addresses, social security numbers and details about insurance policies.

A person using the moniker “IntelBroker” first posted the stolen data on March 6 to an online forum, where data breaches are publicized and data is either published for download or offered for sale. That post was subsequently pulled down, and “IntelBroker” is now listed permanently banned. 

Three days later, on March 9, a second user going by the name “Denfur” — whose signature on the site reads “Glory to Russia!” — posted what they claimed was the full database, along with a sample that includes 200 entries. The full dataset includes 67,565 unique entries and about 55,000 “unique people,” Denfur claimed. 

At about midday Thursday Denfur also claimed that “the intended target WAS U.S. Politicians and members of U.S. Government.” The quote appeared alongside a link to a news story about the incident quoting House of Representatives Chief Administrative Officer Catherine Szpindor as saying that the members of Congress were not the specific target of the attack.

The breach came to light after members of Congress and their staff were warned that their data may have been exposed.

IntelBroker did not respond to a request for comment. A review of IntelBroker’s activity on the forum shows multiple instances in which they claimed to have either hacked entities themselves or shared information hacked or scraped by others, including data supposedly linked to the U.S. Department of Defense, the Department of Health and Human Services and other U.S. government information.

A spokesperson for the FBI said the bureau is aware of the incident and is investigating but declined to comment further. According to a letter from congressional leaders to the head of the DC exchange, the FBI has purchased some of the stolen data on the dark web, NBC News reported. 

DC Health Link confirmed that the data for some customers had been exposed on a public forum and that it was working with law enforcement to investigate.

“We are in the process of notifying impacted customers and will provide identity and credit monitoring services,” Adam Hudson, public information officer at the DC Health Benefit Exchange Authority, told CyberScoop in an email Thursday. “In addition, and out of an abundance of caution, we will also provide credit monitoring services for all of our customers. The investigation is still ongoing and we will provide more information as we have more to share.”

As of Thursday afternoon, several DC Health Link customers told CyberScoop that they hadn’t received any notice from the exchange about the incident any had only become aware of it through the news. One victim reached by CyberScoop Thursday said the data in the sample appeared legitimate and that they had not been contacted by anybody about the breach prior to CyberScoop’s call.

This week’s breach is far from the first time U.S. government officials — current and former — have seen their personal information exposed. The 2015 breach of the Office of Personnel Management saw Chinese hackers obtain the personal data of 21.5 million people collected as part of background investigations. A Republican-led House Oversight Committee warned in 2016 that the breach would “harm counterintelligence efforts for at least a generation to come.” The breach has also cost the federal government billions in identity monitoring services. 

The post DC health exchange breach affects former national security officials, Congress appeared first on FedScoop.

Alan Davidson—the assistant secretary of Commerce for Communications and Information and the NTIA administrator—said the agency had issued a request for comment “on how we can increase our vigilance at the intersection of privacy and civil rights,” during an event hosted by the Georgetown Law school.

The National Telecommunications and Information Administration (NTIA), which is President Biden’s principal advisory body on tech and telecom policy issues, will focus its inquiry on discriminatory data practices related to: online job discrimination based on demographic characteristics; apps that collect and sell location data about user movement, particularly dating and religious apps; and the heightened cost of data breaches on low-income communities.

“Our inquiry will help us analyze the outsized consequences that data practices can have on marginalized communities, and make specific recommendations on solutions,” Davidson said. “We know that addressing the disproportionate harms borne by these communities will take more than just privacy reforms. But increased protections are an important step toward that goal.”

The NTIA’s initiative is meant to bolster the Biden Administration’s six ‘Principles for Enhancing Competition and Tech Platform Accountability’ announced last September. The Big Tech reform rules were emphasized in Biden’s recent Wall Street Journal op-ed, call for “robust federal protections for Americans’ privacy” and an end to “discriminatory algorithmic decision-making.”

Building on the previously announced six principles, Davidson said the need for a federal privacy framework “is especially acute when we consider the impact on disadvantaged groups.” 

Davidson added that data privacy invasions can be felt more starkly by marginalized communities due to the difficulty for facial recognition tools to accurately identify people of color and the problematic ways in which phone apps can collect and store sensitive information related to users’ sexual orientation or religion. 

“Data collection and sharing creates the risk of new digital discrimination replicating previous forms of profiling, redlining and exclusion,” said Davidson. “We are concerned about how these practices can hinder economic and social opportunities, from housing and jobs to health and safety.”

Federal contractors providing government departments with HR services are already held accountable for computer-based tools that discriminate against potential employees with disabilities under a joint initiative launched in May by the Department of Justice and the Equal Employment Opportunities Commission.

The NTIA data privacy request for comment builds on the work conducted by the agency during three listening sessions. Comments will be due 45 days from publication in the Federal Register.

The post NTIA launches probe into discriminatory data practices and civil rights appeared first on FedScoop.

The internal probe is being led by the agency’s Office of Professional Responsibility and Office of the Chief Information Officer, FedScoop has learned.

As part of the investigation, ICE will analyze IP addresses to establish which entities may have accessed the PII while it was publicly available, and issue “claw-back” letters instructing individuals and organizations to destroy any files they may have retained.

The remedial action comes after details including names, nationalities and locations were accidentally uploaded to the agency’s website.

The data disclosure may have directly placed immigrants at risk of retaliation from the individuals, gangs and governments they are fleeing, according to the Los Angeles Times, which first reported details of the incident.

All of the immigrants affected by the data disclosure are currently in ICE custody.

An Excel spreadsheet containing the names and A-numbers of 6,252 non-U.S. citizens seeking protection in the U.S. was uploaded to ICE’s website at 9:45 a.m. EST on Monday.

Four hours later at 1:53 p.m., ICE was notified by nonprofit Human Rights First that PII had been uploaded to its website, and the file was deleted by 2:04 p.m.

Federal regulations generally make it illegal for such data disclosure without permission from top officials in the Department of Homeland Security because personal information of asylum seekers is supposed to be kept confidential.

In a statement to FedScoop, ICE said: “On November 28, 2022, while performing routine updates, a document was erroneously posted to ICE.gov for approximately five hours that included names and other personally identifiable information, along with immigration information, of approximately 6,000 noncitizens in ICE custody.”

They added: “Upon notification, U.S. Immigration and Customs Enforcement took swift action to immediately rectify the error. Though unintentional, this release of information is a breach of policy and the agency is investigating the incident and taking all corrective actions necessary. ICE is notifying noncitizens impacted by the disclosure.”

Following the data disclosure, ICE is reviewing policies, practices and technologies to reduce the risk of future improper disclosure of information.

The post ICE launches investigation after data of more than 6,000 immigrants exposed appeared first on FedScoop.

Following an internal investigation by the VA’s Data Breach Response Service, the agency removed a spreadsheet containing personal details including vaccination status, according to a notice sent to the agency’s bargaining unit employees that was obtained by FedScoop. Federal Times first reported about the data breach.

Approximately 500,000 employees’ vaccination records were last year disclosed without permission and were sent to various members of Veterans Health Administration (VHA) senior leadership, according to the American Federation of Government Employee’s (AFGE) union, which filed a grievance.

Under the Health Insurance Portability and Accountability Act, regulated entities are prohibited from disclosing an individual’s protected health information, which includes COVID-19 vaccination status.

“Upon internal review, the VA agrees that the information contained in these documents should not have been placed on SharePoint without appropriate access permissions and this incident resulted in the inadvertent or unauthorized transmissions or disclosure of sensitive personal information,” said Jessica Bonjorni, chief of human capital management for the VA said in a notice to AFGE bargaining unit members on Nov. 9 and Nov. 10.

“Offering the highest levels of privacy protection to VA employees remains a top priority for both VA and AFGE. VA has investigated the matter, and the at-issue spreadsheet has been removed,” she added.

The spreadsheet that was incorrectly disclosed in the data breach in October 2021 included employee names and indicated whether or not they had been vaccinated, according to the AFGE National VA Council.

A VA spokesperson said: “VA remains committed to providing the highest levels of privacy protection to its employees. We investigated this matter and concluded on November 16, 2021, that the breach demonstrated a low risk of compromise.”

The emailed notice sent by Bonjorni said that the agency will complete any additional required investigations.

Editor’s note, 12/1/22: This story was updated to include comment from the VA.

The post VA admits to improperly disclosing COVID-19 vaccine data for 500,000 staff appeared first on FedScoop.

The IRS‘s Computer Security and Incident Response Center continues to conduct forensic reviews and network log analysis in the wake of the cyberattack, but the initial findings appear positive, J. Russell George wrote in a letter to Reps. Bill Pascrell, D-N.J., and Mike Kelly, R-Pa., Wednesday.

Pascrell and Kelly, who lead the Oversight Subcommittee within House Ways and Means, wrote George for an update after the Department of the Treasury learned it was compromised on Dec. 13.

“At this time, there is no evidence that any taxpayer information was exposed,” George responded. “[The Treasury Inspector General for Tax Administration] will continue working with the IRS in conducting additional forensic reviews and network log analysis as additional information related to this event becomes available.

The Cybersecurity and Infrastructure Security Agency required all agencies using SolarWinds‘ Orion software to review their networks for evidence of compromise and disconnect or power down the network monitoring framework.

At least seven agencies were compromised by malware linked to Russian hacking group APT29, or Cozy Bear. The hackers were able to push the malicious code alongside SolarWinds’ software updates to federal agencies, major corporations and other customers of the Texas-based company.

“We respectfully request a briefing by December 22, 2020 and a follow-up report,
if needed, on (1) what the Treasury Inspector General for Tax Administration (TIGTA)
knows about the impact, if any, of the compromise on the Internal Revenue Service (IRS)
at this time and (2) what TIGTA plans to do in the future to oversee IRS actions to
mitigate the harm to its systems and taxpayers, and to protect against future incursions,” the lawmakers wrote in their letter to George.

With at least 32 federal agencies having purchased SolarWinds Orion software since 2006, similar announcements are likely on the horizon from other agencies as to whether they were compromised and even had data exposed.

The post ‘No evidence’ IRS taxpayer information exposed by SolarWinds hack appeared first on FedScoop.