As a result of an insider incident where the private information of 406,000 individuals was made public by an ex-employee of Booz Allen Hamilton, the U.S. Treasury has cancelled all contracts with Booz Allen Hamilton.
This was coupled with pressure to improve cybersecurity for federal contractors after a former contractor pleaded guilty to unlawfully accessing and distributing federal IRS record information.
Treasury pulls plug on all booz allen contracts
On January 26, Secretary of the Treasury Scott Bessent confirmed in writing that Treasury had immediately terminated all 31 active contracts with Booz Allen, and provided a conditional letter terminating the government’s contractual relationship with Booz Allen.
The Secretary also stated that the Treasury will continue to work with Booz Allen to develop a plan for the future contractual relationship between the government and Booz Allen, and to improve the agency’s controls regarding federal contractors’ access to confidential information.
The Treasury Department terminated Booz Allen for failing to implement adequate security safeguards for government systems.
According to Treasury officials, the contracts accounted for $4.8 million in annual expenditures and had total obligations of $2.1 million.
Bessent said the federal government must protect taxpayer information, and contractors with access to sensitive systems must follow strict security and compliance standards.
He also pointed out that this initiative is consistent with the goal of President Trump to eliminate waste, fraud, and abuse within federal agencies.
Treasury officials explained that they took this action to restore public confidence in the government’s ability to protect private data after a series of severe cyber breaches in both the public and private sectors.
Insider breach exposed hundreds of thousands of taxpayers
In a case of unauthorized access of information through Booz Allen by Charles Edward Littlejohn (a former contractor for the company), where he pled guilty to felony charges for illegally accessing IRS systems from 2018-2020.
Littlejohn’s actions were a key aspect of the allegations of wrongdoing associated with Booz Allen.
Federal prosecutors alleged Littlejohn had gained illegal access to hundreds of thousands of records and private data for taxpayers using his contractor credentials. 406,000 countable records contained private data and tax information.
Ultimately, through the release of this information, the victims became victims of identity theft, financial fraud and long-term privacy issues. The IRS suffered one of its largest recent losses after an insider stole data from Booz Allen & Hamilton.
Officials at the Department of Treasury determined there were insufficient controls and sufficient oversight by Booz Allen which contributed to the inability to detect and prevent this theft prior to its occurrence.
Government pushes for more stringent standards of performance for federal contractors
Treasury officials stated that these canceled contracts are indicative of the government’s larger effort to increase monitoring and oversight of federal contractors that hold sensitive data.
The government is increasingly dependent on private companies to provide services in such areas as cybersecurity, analytics, and data management, making it essential that they trust their contractors, hold them accountable, and have them operate with the highest standards of data security.
According to a spokesman from the Department of Treasury, the government has a policy of no tolerance for contractors who provide weak data security.
Any contractors doing business with them must submit to rigorous audits of their data security procedures, implement systems to monitor for insider threats, and have real-time monitoring of their systems.
This crackdown aligns with a global shift toward stricter data governance, mirroring legislative moves in other nations, such as Canada’s expected amendments to its privacy laws not too long ago.
A growing reckoning over insider threats
The Booz Allen breach provides an important illustration of an emerging global problem with insider threats to government information.
Recent media coverage on cyber-attacks mainly looks at external threats. However, one of the hardest threats is from internal systems users (insider threat) who have legal access to computer systems.
The scope of data-risk extends beyond theft by employees to include the corporate sale of user data to government bodies, as alleged in recent reports about Coinbase and ICE.
Government organizations are continuing to move to digital transformations and the adoption of cloud technology. As more businesses gain access to sensitive information without appropriate monitoring and auditing, an employee can compromise hundreds of thousands of files in a matter of minutes.
For many Treasury officials, cancelling contracts is both a disciplinary action and a renewed desire to rebuild public confidence in digital security at a time when public confidence in the security of data transactions is at its lowest.
“What’s important about this issue is not just the breach that happened,” said a senior Treasury official. “It also reinforces the notion that Taxpayer data is a privilege; it requires the highest degree of responsibility.”
