recommended reading

Investigation reveals widespread insider hacking at immigration agency

A yearlong probe into computer fraud at an immigration application processing center uncovered multiple incidents of internal hacking where staff accessed management-level emails and other confidential files, according to Homeland Security Department interviews, network analyses and internal emails obtained by Nextgov.

The investigation began in January 2008, when officials at U.S. Citizenship and Immigration Services, which is part of Homeland Security, reported to the department's inspector general that numerous personnel had violated federal security rules at the agency's Texas Service Center, one of four regional centers that handle a variety of immigration-related petitions and applications. According to the materials obtained, employees and supervisors abused system logon privileges, gained unauthorized access in some instances and then allegedly sabotaged audit logs to leave behind no traces of their illicit activities. IG papers list the redacted names of 17 subjects of the investigation, all of whom were information technology specialists.

The evidence of breaches at the center is the latest revelation of insider threats at USCIS. With their ill-gotten access rights, the Texas personnel were capable of, for example, granting citizenship rights, as well as reading files containing sensitive information on contract awards, immigration reform or other policy formulations, say former USCIS IT officials there at the time.

Federal agents located so-called hackware in several computer drives -- software that lets users intercept business information passing through the agency's network, according to one investigative analysis signed in March 2008.

In another instance, a staffer in a position of authority asked for the logins and passwords of all software and systems at the service center, which would have granted that person unauthorized access to all goings-on at the facility.

A Nov. 27, 2007, email from the manager with the subject line: "FW: TSC Logins and passwords." The body of the email stated: "I will need the administrator password for every piece of hardware in the TSC that requires a password. I will also need the administrator password for any enterprise type software that has an administrator password." The manager then said, "Please do not send them in e-mail unless you encrypt the text file" -- or scramble the data to render it unreadable. "You can call me to provide the encryption password."

Federal computer fraud laws prohibit the unauthorized use of administrator passwords, the former IT managers said.

Separately, an employee told agents that a few federal IT specialists had acquired prohibited codes for reading other center employees' emails -- authorizations dubbed "God rights," according to an interview report signed February 2008. The employee "related that [Texas Service Center] IT employees should not have had enterprisewide rights (commonly referred to as 'God' rights) because it was a restricted administrative status that was reserved for CIS [Office of Information Technology] upper management," the write-up stated.

The U.S. Attorney's Office for the Northern District of Texas declined to criminally prosecute the subjects of the investigation for computer fraud, according to the inspector general materials obtained.

An IG memo stamped Oct. 1, 2008, stated the final investigation was delivered to Jan Lane, chief of the USCIS Office of Security and Integrity, so the agency could take whatever disciplinary action it deemed appropriate.

Agency officials would not comment on the outcome of the case, and Lane no longer works there. They said in a statement, "USCIS demands that our employees maintain the highest ethical standards. When allegations of misconduct are made, USCIS takes immediate action to protect the integrity of the workplace and to ensure that the facts are investigated fully. USCIS is committed to taking full and appropriate disciplinary action against any employee who is found to have violated our standards."

In recent years, there have been a number of documented cases where employees or contractors tampered with secure IT systems. Government investigators have warned the agency could become more vulnerable to insider threats because designs for a current IT overhaul do not include protections against such activities.

For example, a 2008 serious incident report obtained by Nextgov shows USCIS officials discovered internal wrongdoing at a Vermont processing center. The records show that employees within the Fraud Detection and National Security Directorate -- hired to ensure dangerous individuals are not accorded legal status -- hooked up a nongovernment computer to an external Internet connection, potentially allowing them to import or export data for committing identity theft.

More recently, a former USCIS contractor was sentenced to five and a half years in jail for falsifying files to help illegal immigrants receive "legal" passports. Justice Department officials announced the punishment in late May, after Richard Abapo Quidilla, 39, of Pico Rivera, Calif., pled guilty to computer fraud, among other charges. He deleted the names, birth dates and other personal data of naturalized citizens in a secure database and substituted the corresponding information of illegal immigrants, according to federal district court papers.

The agency could open itself up to greater risk of insider wrongdoing due to poor planning for an ongoing $2.4 billion project to automate immigration paperwork, IG officials reported in January. USCIS Transformation, the online system that is supposed to improve fraud detection, is missing controls to prevent internal hacking, according to the audit.

Frank Deffer, assistant IG for information technology audits, wrote that based on a "review of the requirements for fraud detection and national security issues, it appears there are no requirements to address insider threats" to Transformation. "Insiders at USCIS have perpetrated fraud in the past" and internal staff "are capable of granting legal residency or citizenship status to someone who poses a national security risk to the United States," he added.

Threatwatch Alert

Thousands of cyber attacks occur each day

See the latest threats


Close [ x ] More from Nextgov

Thank you for subscribing to newsletters from
We think these reports might interest you:

  • Modernizing IT for Mission Success

    Surveying Federal and Defense Leaders on Priorities and Challenges at the Tactical Edge

  • Communicating Innovation in Federal Government

    Federal Government spending on ‘obsolete technology’ continues to increase. Supporting the twin pillars of improved digital service delivery for citizens on the one hand, and the increasingly optimized and flexible working practices for federal employees on the other, are neither easy nor inexpensive tasks. This whitepaper explores how federal agencies can leverage the value of existing agency technology assets while offering IT leaders the ability to implement the kind of employee productivity, citizen service improvements and security demanded by federal oversight.

  • Effective Ransomware Response

    This whitepaper provides an overview and understanding of ransomware and how to successfully combat it.

  • Forecasting Cloud's Future

    Conversations with Federal, State, and Local Technology Leaders on Cloud-Driven Digital Transformation

  • IT Transformation Trends: Flash Storage as a Strategic IT Asset

    MIT Technology Review: Flash Storage As a Strategic IT Asset For the first time in decades, IT leaders now consider all-flash storage as a strategic IT asset. IT has become a new operating model that enables self-service with high performance, density and resiliency. It also offers the self-service agility of the public cloud combined with the security, performance, and cost-effectiveness of a private cloud. Download this MIT Technology Review paper to learn more about how all-flash storage is transforming the data center.


When you download a report, your information may be shared with the underwriters of that document.