14 DAY TRIAL // The Office of the Attorney General in California has been served a copy of the letter the US Investigation Services (USIS) sent to the individuals affected by a breach in June this year, self-reported in August.
By California law, any person, business or agency is required to send the Attorney General a copy of the communication delivered to customers impacted by a breach incident that resulted in exposure of unencrypted personal information; there is no standard period to comply.
USIS is a commercial contractor that verifies the background of employees and applicants related to different US government agencies, Department of Homeland Security (DHS) included.
In the letter to the affected individuals, the organization offers one year of free protection services against identity theft because personally identifiable information had been exposed (names, dates of birth, Social Security numbers), along with usernames and passwords for online accounts.
According to information from the breach investigation, details on government workers, believed to amount to 25,000 andwhose background was checked by the company, has been exposed to the attackers.
However, this sort of benefit may not be too helpful in this case, since the organization itself admitted that the forensic experts believed that the intrusion had “all the markings of a state-sponsored attack.”
Given this tiny detail, it can be assumed that the attackers did not operate to steal the identity of the people whose background was investigated by USIS or that of the organization's employees, and the actual treasure for them consisted in the history details on the government workers.
However, there are cases where malware used for cyber espionage was also used for cybercriminal activities with a financial purpose, suggesting that hackers working for the government also do some work on their own.