A cyberattack on a consulting firm working for the U.S. Department of Justice resulted in the theft of personal and medical data belonging to more than 340,000 individuals.
The stolen information was compiled as part of a civil legal case the Justice Department was involved in last year.
The data was supplied to Greylock McKinnon Associates (GMA), a consultancy that provides “litigation support services” and was assisting the department with the case.
GMA discovered on May 30 its internal network was breached. In a letter mailed last week to people impacted by the breach, the firm said it was the victim of a “sophisticated cyberattack” although it did not provide any details on how the breach occurred or who was responsible.
“Your personal and Medicare information was likely affected in this incident,” it told recipients of the letter.
“This information may have included your name, date of birth, address, Medicare Health Insurance Claim Number (which contains a Social Security number associated with a member) and some medical information and/or health insurance information.”
Eight-month delay before victims notified
GMA said it immediately engaged third-party cybersecurity specialists to assist with its response to the hack, and notified law enforcement and the DOJ.
The consulting firm subsequently filed statutory reports on the incident, including with the office of the Maine Attorney General, revealing the breach affected 341,650 individuals.
In its breach notification letter, GMA said it received confirmation of which individuals’ information had been compromised, and obtained their contact addresses, on Feb. 7.
It was not clear why it took eight months to assess the impact of the breach. The DOJ has yet to respond to media requests for comment on the incident.
Details of the legal action that prompted the collection of the data have also not been disclosed, although GMA told those affected: “DOJ has advised us that you are not the subject of this investigation or the associated litigation matters.”
GMA added it was told by the DOJ that the incident did not impact affected individuals’ current Medicare benefits or coverage. Medicare is a federal government health insurance program for people over 65 or with disabilities.
The firm has offered those affected 24 months of an identity theft protection service and credit monitoring. It said it deleted the DOJ data from its systems after the incident.
Hackers favor ‘weak link’ targets
Tom Kellermann, senior vice president of cyber strategy at Contrast Security, said the incident highlighted the fact threat actors were adept at stealing personally identifiable information (PII) not just from its original source, but wherever it was easiest to access.
“Security through obscurity no longer exists. Frequently, firms who provide consulting services to government agencies are being targeted as the weak link in the chain,” he said.
“This island-hopping attack should be concerning not only to the victims whose PII was stolen, but to the DOJ who should reevaluate the cybersecurity of this vendor.”
Last week, another consulting firm working for the federal government confirmed it was the victim of data theft.
Well-known hacker IntelBroker claimed to have stolen sensitive communications between the U.S. and its international Five Eyes intelligence partners by breaching federal technology consulting firm Acuity.
Acuity confirmed data it stored in GitHub repositories was stolen, but said the information was “dated and non-sensitive.”
“After conducting our own analysis and following a third-party cybersecurity expert investigation, Acuity has seen no evidence of impact on any of our clients' sensitive data,” Acuity CEO Rui Garcia said in a statement.
