A leading government security contractor was recently itself the victim of a cybersecurity attack. Defense Point Security LLC, a Virginia based government cybersecurity contractor told employees that hackers gained access to the company’s servers and made off with sensitive W2 data. The company bills itself as “the choice provider of cyber security services to the federal government.” If Defense Point can get hacked, is anyone safe?
Media reports say the company disclosed to employees that a spear phishing attack allowed the hacking incident to occur. The information apparently accessed by criminals include employee names, social security numbers and addresses. That information is sufficient to allow criminals to engage in identity theft, obtain the victim’s tax refund and often access bank accounts or open accounts in the name of an unsuspecting victim.
The company’s CEO told employees, “I want to alert you that a Defense Point Security (DPS) team member was the victim of a targeted spear phishing email that resulted in the external
release of IRS W-2 Forms for individuals who DPS employed in 2016. Unfortunately, your W-2 was among those released outside of DPS.”
W-2 forms are a popular target of cyberhackers. The W2 has enough information to allow hackers commit identity theft.
Spear phishing schemes frequently target HR and accounting personnel. These folks often have access to W-2 information.
What makes this incident especially concerning is that Defense Point Security provides cybersecurity services to Immigration and Customs Enforcement (ICE). Those services include work for ICE’s Security Operations Center. The Center handles critical incident response along our borders.
According to the company’s website, “Defense Point Security has expertise and a proven track record performing all areas of Computer Network Defense (CND). DPS understands the cyber security challenges faced by our customers, particularly pertaining to the ever-changing and persistent threat landscape that has continually increased over the past several years.”
The company also claims, ‘We choose to lead from the front and refuse to become complacent in the constantly evolving cyber security industry.’
Cybersecurity Consultant Raps Defense Point for Material Weaknesses
A well respected cybersecurity consultant, Brian Krebs, had this to say about the incident,
“I find it interesting that a company which obviously handles extremely sensitive data on a regular basis and one that manages a highly politicized government agency would not anticipate such attacks and deploy some kind of data-loss prevention (DLP) technology to stop sensitive information from leaving their networks.
“Thanks to their mandate as an agency, ICE is likely a high risk target for hacktivists and nation-state hackers. This was not a breach in which data was exfiltrated through stealthy means; the tax data was sent by an employee openly through email. This suggests that either there were no DLP technical controls active in their email environment, or they were inadequately configured to prevent information in SSN format from leaving the network.
“This incident also suggests that perhaps Defense Point does not train their employees adequately in information security, and yet they are trusted to maintain the security environment for a major government agency. This from a company that sells cybersecurity education and training as a service to others.”
Defense Point was recently acquired by Accenture.
Cash Awards for Cybersecurity Whistleblowers
We are certainly sympathetic to the employees of Defense Point Security. This incident proves that anyone can become a victim of cyberhacking. Hopefully, the security lapses that resulted in the loss of W2 information did not result in a loss of sensitive government data. When that happens, companies like Defense Point can be held responsible.
The Department of Defense and other government agencies require contractors and vendors entrusted with sensitive government data to have robust cybersecurity measures in place. These regulations and contracting guidelines also require prompt reporting of any incidents to Uncle Sam.
The government cannot investigate a cyberhacking incident or take protective measures if they aren’t told of the problem. (Although we don’t know the date that Defense Point learned of the theft of W2 information, the fact that it was 2016 W2 information suggests that its notification was made promptly. Assuming we are correct, we applaud the company for letting affected workers know right away.)
Company insiders or contractors that have information about cybersecurity incidents involving government contractors or data may be eligible for awards. If the company failed to take adequate information security safeguards or failed to promptly report, large cash awards may be available.
At this writing, we only know of Defense Point’s loss of W2 data. If there are other unreported breaches involving government data, that information could lead to an award.
Sadly, we know that many contractors find themselves in a catch 22. If they follow the law and report the incident, there is a good chance they lose their government contract. Not reporting, however, can result in huge losses for taxpayers and even endanger our national security. One person told us that his/her company sat on a successful cyberhacking incident for months simply wondering what they should do. When delays occur, however, the damage is often done and it becomes impossible for government officials to track the hackers.
Under the federal False Claims Act, whistleblowers can receive an award of between 15% and 30% of whatever the government collects from wrongdoers. Whistleblowers filing claims under the Act are also protected against illegal retaliation. In some cases, we can help protect their identity from public disclosure.
Mahany Law – Your First Choice in Cybersecurity Whistleblower Lawyers
Think you may have information about cybersecurity / cyber hacking involving Defense Point Security or other government vendor? Call us! Before you call a hotline, before you tell co-workers and before you take documents to prove your claim, call us first. We can help protect your rights, evaluate your claim and insure you get the highest award possible.
For more information, visit our cybersecurity whistleblower page. You can also contact the author of this post, attorney Brian Mahany, at or by telephone at (414) 704-6731 (direct). All inquiries protected by the attorney – client privilege.