Hackers have released internal documents stolen from Leidos Holding, a defense contractor and federal IT services provider, after a third-party data leak.
Based in Reston, Virginia, Leidos employs 47,000 workers and reported $15.4 billion in 2023. Its customers include the Department of Defense (DOD), the Department of Homeland Security (DHS), the National Aeronautics and Space Administration (NASA), other US and foreign government agencies, and corporations, highlighting the severity of the data breach.
In 2016, Leidos merged with Lockheed Martin’s Information Systems & Global Solutions. The merger consolidated even more sensitive information, forming one of the defense industry’s largest IT services contractors.
While the nature of the information leaked remains unclear, an anonymous source familiar with the matter told Bloomberg that the defense contractor was using Diligent Corp. to store “information gathered in internal investigations.”
Defense contractor Leidos was aware of the data leak
According to a data breach notification filed in Massachusetts, Diligent discovered the data leak and notified Leidos on November 11, 2022. It involved an unauthorized entity exploiting a “vulnerability in Diligent’s platform to download documents from the system, possibly as early as September 30th.”
On or around October 1, 2022, another intruder exploited a second vulnerability to view information submitted via Leidos’ enterprise case management system (ECMS) hosted by Diligent.
Previous reports indicated that the data leak stemmed from a subsidiary Steele Compliance Solutions that Diligent acquired in 2021.
Mergers and acquisitions introduce chaos and lead to the transfer of sensitive information, giving hackers an opportune moment to strike. In 2021, the FBI warned that cybercriminals target organizations during “time-sensitive financial events” such as mergers and acquisitions.
Meanwhile, Leidos was notified of the second data leak on February 9, 2023, and launched an investigation. The probe determined that the impacted documents included personal information, and the defense contractor offered 2 years of identity theft protection to shield victims from fraud.
Third party breaches remains a significant problem
Indeed, Leidos confirmed that the data leak “stems from a previous incident affecting a third-party vendor for which all necessary notifications were made in 2023.” The Pentagon defense contractor also asserted that “this incident did not affect our network or any sensitive customer data.”
A Diligent spokesperson also affirmed that all impacted customers, including Leidos, were promptly notified in 2022, and the company “took immediate corrective action to contain the incident.”
“Third-party breaches remain a significant problem for today’s organizations, and this week’s Leidos data leak underscores the fact that they can continue to negatively impact victims years after the initial incident occurs,” said David Kellerman, Field CTO at Cymulate.“Fortunately, this week’s Leidos incident was not a new breach—but it’s a sobering reminder that attackers can sit on stolen data for years before releasing it to the world. Once a breach has occurred, you can’t un-ring that bell—and today’s organizations need to know that their third-party risk management tools are providing them with the protection they need.”
It remains unclear when hackers leaked the stolen documents from Pentagon’s contractor, but Leidos only recently discovered them circulating on the dark web and launched an investigation.
Similarly, there were no reports of the defense contractor receiving any ransom demands, which typically precede the publication of the stolen documents. The threat actor responsible for the Leidos data leak also remains unknown or undisclosed.
While defense contractors are usually targeted by nation-state actors for cyber espionage, a financially motivated or malicious actor was likely responsible for the Leidos data leak.
However, the incident will put Leidos, which recently won a $476 million contract to supply NASA’s International Space Station, under scrutiny and could undermine its future prospects for similar lucrative deals. Despite the involvement of a third-party vendor, the primary organization bears full responsibility for the data leak.
According to Dr. Ilia Kolochenko, CEO and Chief Architect at ImmuniWeb, despite some government agencies taking third-party risk management extremely seriously, they still fail to address the root cause of the problem.
“Worse, some TPRM programs indistinctively impose costly and time-consuming due diligence on most vendors, without considering vendor-specific risks, threats and vendor’s overall trustworthiness,” he added. “Eventually, the one-size-fits-all approach miserably fails, and despite sometimes-draconian risk assessments of vendors and suppliers, numerous foreseeable but unaddressed risks continue triggering massive data breaches.”