Deltek Breach Raises Questions About Widespread Hacking


Feds won't confirm company assertions about the attack, which affected 80,000 employees of government contractors.

Details surrounding a recent network breach at the business research and software firm Deltek remain uncertain after the company confirmed the incident exposed sensitive data on tens of thousands of employees of federal contractors.

On March 13, Deltek discovered an intruder had broken into a federal market analysis database called GovWin IQ, the company said. Deltek officials said the attacker accessed the login information for about 80,000 users and the credit card data for up to 25,000 of those individuals. The breach was first reported by Federal News Radio.

"This incident is connected to two large investigations and prosecutions in the District of NJ and the Eastern District of Virginia that involved many other parties and thousands of websites beyond just GovWin IQ,” Patrick Smith, Deltek’s senior vice president for marketing, said in an email. He was referring to U.S. Attorney offices in New Jersey and Virginia, where the firm is based. 

Smith added that an arrest has been made. He referred questions about the suspect's identity and about case names to the FBI. But the FBI would not confirm an arrest or links to other incidents. 

Deltek’s depiction of the situation sounds a lot like a large probe into the activities of alleged British hacker Lauri Love.

The two U.S. Attorney offices are prosecuting Love for breaching thousands of computer systems in the United States and elsewhere, including numerous federal networks. Love is believed to be affiliated with Anonymous, a hacktivist collective. British authorities arrested him in connection with another investigation in October, officials in the New Jersey U.S. Attorney's Office said at the time.

When asked last week whether the Deltek incident was tied to New Jersey's case, U.S. Attorney spokeswoman Rebekah Carmichael said in an email, "There is nothing in the public record in this case that would address the question." She added the investigation is still ongoing.

An October 2013 affidavit filed in Virginia supporting an arrest warrant against Love alleges he broke into the departments of Energy and Health and Human Services, as well as the U.S. Sentencing Commission and the FBI's Regional Computer Forensics Laboratory. The U.S. attorney's office there declined to comment on whether Deltek also was among those affected.  

Public court documents state the U.S. hacks happened between 2012 and 2013. Deltek learned it had been attacked in 2014 but did not indicate when the hack actually occurred. 

New Jersey U.S. Attorney officials announced in October 2013 an indictment against Love for infiltrating systems at the Army, U.S. Missile Defense Agency, NASA and Energy, among other offenses. A May 2013 criminal complaint also mentions an infiltration at the Federal Reserve.

The unsealed court documents do not list private sector victims that sound similar to Deltek. 

A former Deltek employee said it is believed the incident happened in tandem with a series of strikes on government agencies and financial institutions. Private investigators at Mandiant, CrowdStrike and the SANS Internet Storm Center said they could not confirm the widespread hacking described by Deltek. 

Company officials did not disclose the method the attacker used to corrupt GovWin. Court records show Love entered databases through weaknesses in widely-used Adobe ColdFusion software, "SQL injection" attacks, and malicious software. 

(Image via scyther5/