Security

CSO

Shoddy infosec costs PwC spinoff and NMA $11.3M in settlement with Uncle Sam

Pen-testing tools didn't work – and personal info of folks hit by pandemic started appearing in search engines


Updated Two consulting firms, Guidehouse and Nan McKay and Associates, have agreed to pay a total of $11.3 million to resolve allegations of cybersecurity failings over their roll-out of COVID-19 assistance.

The fines break down thus: Guidehouse, formerly PwC's US public sector arm and still headquartered in McLean, Virginia, has agreed to pay $7.6 million, while consultancy NMA – based in California's El Cajon – agreed to shell out $3.7 million. An ex-Guidehouse employee who blew the whistle on this affair earned themselves $1,949,250 as part of the settlements.

Of course, this is a mere slap on the wrist for Guidehouse, which reportedly raked in $5.5 billion in revenue last year. NMA has a reported annual revenue of about $190 million.

Here's what happened, according to the US Justice Department and settlement agreements issued last month.

Both firms had been selected by New York to administer that state's emergency rental assistance program (ERAP). ERAPs were established by Congress across the US in early 2021 as part of the federal government's COVID relief funding efforts. These safety-net programs provided financial aid to low-income folks during the pandemic lockdown to help cover the costs of rent, utilities, and other housing-related expenses.

Each state that participated in the program was required to select an agency to distribute federal funds to eligible tenants and landlords. In New York, the Office of Temporary and Disability Assistance (OTDA) was that agency, and in May 2021 it inked a $310 million contract with Guidehouse as the prime contractor responsible for providing ERAP technology and services to New Yorkers.

NMA, hired as Guidehouse's subcontractor, was responsible for providing the ERAP system used by New York residents to submit online applications requesting rental assistance.

The consulting firms were supposed to ensure that this ERAP application underwent proper cybersecurity testing before deployment. But, according to the settlements, neither NMA nor Guidehouse's testing tools worked, and they cleared it for launch anyway.

"Ultimately, neither Guidehouse nor NMA satisfied their obligation to complete the required pre-production cybersecurity testing," the NMA settlement noted [PDF]. 

Still, the New York State ERAP went live as planned on June 1, 2021, and individuals' sensitive information loss started almost immediately. About 12 hours after the ERAP application was online, the OTDA notified both consulting firms that certain data from the applications had been leaking onto the internet.

"Although an investigation conducted by a third party retained by NMA in consultation with Guidehouse determined that no Personally Identifiable Information ('PII') was viewed or used by unauthorized parties, the 'Information Security Breach' protocol was triggered under the ERAP Prime Contract because PII was accessed by commercial search engines for a limited group of individuals," the court document said.

As part of the settlements, both Guidehouse and NMA acknowledged that if they had performed the contractually mandated security testing, the data loss may have been prevented.

Also, as part of its settlement [PDF], Guidehouse admitted that between November 10 and December 14, it used an unnamed "third-party data cloud software program" to store PII without first obtaining the state's approval. This was also in violation of its contract. 

"Contractors who receive federal funding must take their cybersecurity obligations seriously," said US Attorney Carla Freedman for the Northern District of New York. "We will continue to hold entities and individuals accountable when they knowingly fail to implement and follow cybersecurity requirements essential to protect sensitive information."

Neither Guidehouse nor NMA responded to The Register's request for comment. ®

Updated to add on June 18

NMA sent us the following statement saying it wasn't planning on changing anything. Strange.

“Nan McKay is pleased to have reached a settlement with the government resolving all allegations without any admission to liability under the False Claims Act," a spokesperson told us.

"Nan McKay has, over the course of its 40 plus years, been recognized nationally as among the most trusted companies for administering housing programs. None of the industry-leading people, processes or technologies that earned us that reputation have changed as the result of our May 13, 2024, Settlement Agreement with the US Department of Justice.”

Send us news
2 Comments

Watchdog warns FBI is sloppy on secure data storage and destruction

National security data up for grabs, Office of the Inspector General finds

Microsoft hosts a security summit but no press, public allowed

CrowdStrike, other vendors, friendly govt reps…but not anyone who would tell you what happened

Security boom is over, with over a third of CISOs reporting flat or falling budgets

Good news? Security is still getting a growing part of IT budget

Security biz Verkada to pay $3M penalty under deal that also enforces infosec upgrade

Allowed access to 150K cameras, some in sensitive spots, but has been done for spamming

Alleged Karakut ransomware scumbag charged in US

Plus: Microsoft issues workaround for dual-boot crashes; ARRL cops to ransom payment, and more

White House thinks it's time to fix the insecure glue of the internet: Yup, BGP

Better late than never

CrowdStrike's meltdown didn't dent its market dominance … yet

Total revenue for Q2 grew 32 percent

Volt Typhoon suspected of exploiting Versa SD-WAN bug since June

The same Beijing-backed cyber spy crew the feds say burrowed into US critical infrastructure

Microsoft security tools questioned for treating employees as threats

Cracked Labs examines how workplace surveillance turns workers into suspects

Iran's Pioneer Kitten hits US networks via buggy Check Point, Palo Alto gear

The government-backed crew also enjoys ransomware as a side hustle

Transport for London confirms cyberattack, assures us all is well

Government body claims there is no evidence of customer data being compromised

House to grill CrowdStrike exec on epic IT meltdown... no, not the CEO

VP Adam Meyers to testify about that faulty software update which ruined July and some of August