Pentagon contractor Leidos hit by data breach

Internal documents leaked on cybercrime forum

Pentagon contractor Leidos hit by data breach

Image:
Pentagon contractor Leidos hit by data breach

Hackers have reportedly leaked internal documents stolen from Leidos Holdings Inc., a company with a significant contract portfolio including the US Defense Department, Homeland Security, and NASA.

A person with knowledge of the matter told Bloomberg News that the company believes the documents leaked by hackers were stolen during a previously disclosed breach at Diligent Corporation.

Diligent Corporation is a governance software provider whose services were used by Leidos to host information gathered in internal investigations.

"We have confirmed that this stems from a previous incident affecting a third-party vendor for which all necessary notifications were made in 2023," a Leidos spokesperson said, adding the company's network and sensitive customer data remain unaffected.

However, the nature of the leaked documents and their potential implications for national security remain unclear at this time.

Bloomberg News said it was able to access some files purportedly from Leidos on a cybercrime forum, but the information was heavily redacted, making verification difficult.

The stolen data mostly concerns "internal Leidos corporate data, such as reviews of employee issues and complaints," according to The Register.

Leidos, based in Reston, Virginia, employs approximately 47,000 people. Founded in 2013, the company expanded significantly in 2016 by merging with Lockheed Martin's Information Systems & Global Solutions (IS&GS) division, becoming a leading IT services provider in the defence industry.

Leidos reported revenues of $15.4 billion for the fiscal year ending 29 December 2023.

Its vast government clientele underscores the potential implications of this data breach for US national security.

In a statement, Diligent Corporation said the issue appears to concern a 2022 incident that affected its subsidiary, Steele Compliance Solutions. The company said it promptly notified affected customers at that time and took corrective actions to contain the breach.

Steele Compliance Solutions was acquired by Diligent in 2021.

"In November 2022, upon identification of the incident, we promptly notified impacted customers and took immediate corrective action to contain the incident. This incident did not impact Diligent Boards or any of our other products," Diligent Corporation said.

"We take security very seriously and believe we have taken the necessary steps to ensure any acquired company meets the same standard that our clients expect in a Diligent product," it added.

Leidos is likely to face increased scrutiny from its clients to assess the potential impact of the data breach and implement measures to prevent similar incidents in the future.

Last year, Microsoft said a state-backed threat group covertly accessed email accounts at around 25 organisations worldwide, including government agencies in the US.

Media reports said that email accounts belonging to Secretary of Commerce Gina Raimondo and officials from the Department of State were compromised.

The US State Department and the Commerce Department confirmed that they were impacted by the incident.

Microsoft attributed the attacks to Storm-0558, a threat actor based in China.