Education Contractor Withheld Data from Cyber Investigators

An Accenture subcontractor interfered with a security audit of an Education Department financial aid system that inspectors say showed signs of unauthorized access.

The situation sounds reminiscent of claims by the government that background check provider USIS obstructed federal investigators from scanning the company's network after a 2014 breach.

This time, however, the subcontractor, Total System Services, a Georgia-based credit card processor, had signed an agreement with Education to provide login information months before inspectors visited in July.

Department Inspector General Kathleen Tighe said multiple times during a House hearing the vendor refused to provide her office with a list of all user IDs and their respective access rights.

Ultimately, the firm handed over a listing that left inspectors concerned other TSYS customers might have compromised sensitive student and parent information.

"In the end, they were not able to provide us very critical information for us to do a full vulnerability testing," Tighe said during a Tuesday House Oversight Committee hearing on the department's information security.

Education, with control over a trillion dollars in outstanding student loans, is the equivalent of Citibank in terms of its value to hackers.

Between 2001 and April, the tool in question, called the Common Origination and Disbursement system, had processed more than $1 trillion in federal student loans and grants, according to Accenture. The system provided $130 billion in aid to more than 14 million students and families.

One complication for TSYS is that its mainframe system houses private sector customer data, too.

"I understand the reluctance" to show details about client accounts, but given the rest of the data showed abnormal activity, such as "privileged users that had excessive permissions and the like, I worry about what other users we were not able to see had access to in our data,” Tighe said.

Her written testimony stated that inspectors "found accounts with excessive permissions and unauthorized access."

Inspector general spokeswoman Catherine Grant told Nextgov in an email they "are not aware of a breach, but there is always risk of that when there are accounts with excessive or unnecessary privileges."

This spring, Accenture announced a $966 million deal to continue servicing the student aid tool for another decade.

Accenture spokeswoman Joanne Veto said, "Accenture has cooperated fully with the inspector general and has tried to encourage TSYS to provide information that doesn't compromise their data or their customer information."

TSYS officials said they are obligated to protect not only Education's data but also the data of the more than 750 million cardholders they serve.

The agency's request "for all mainframe [user IDs] with privileges represented a request for sensitive information not applicable to DoED," TSYS spokesman Cyle Mims said in an email, referring to Education. "Providing such sensitive information would jeopardize the data security of other TSYS clients and represent a breach of contractual confidentiality."

He said TSYS provided Education with user IDs and privileges "applicable" to the department.

In the aftermath of an Office of Personnel Management hack that involved contractors and affected 21.5 million people, the White House has proposed requiring all vendors to open their recordbooks and systems to inspectors upon request.

An August draft regulation requires all agency security reviewers be granted access to vendor facilities, installations, operations, documentation, databases, IT systems, devices and personnel, regardless of where they are located.

(Image via Maksim Kabakou/Shutterstock.com)