Despite being entrusted with sensitive government information, two federal contractors have agreed to pay a combined $11.3 million settlement after a catastrophic cybersecurity failure compromised applicants’ personal data. Guidehouse Inc. and Nan McKay, the contractors in question, admitted they didn’t complete required pre-production testing. A rookie mistake that cost millions.
Federal contractors fumbled basic security protocols, resulting in an $11.3 million settlement for a completely preventable data breach.
The breach happened just 12 hours after New York’s Emergency Rental Assistance Program website went live in June 2021. Twelve hours! They couldn’t even make it through a single day without exposing personally identifiable information of applicants. The contractors were specifically required to guarantee the ERAP system underwent proper cybersecurity testing. They didn’t. Simple as that.
This settlement falls under the Department of Justice‘s Civil Cyber-Fraud Initiative, which uses the False Claims Act to pursue contractors who fail to meet cybersecurity standards. The initiative, announced by Deputy Attorney General Lisa Monaco in October 2021, allows the DOJ to pursue treble damages – that’s three times the actual damage amount for those keeping score. Per-claim penalties range from $14,000 to $28,000.
Federal contractors aren’t just playing around with website designs. They’re handling national security information. They must comply with Federal Acquisition Regulation clauses, including DFARS 252.204-7012, which mandates compliance with NIST 800-171 standards. Many contractors like Lockheed Martin and Boeing have been targeted by infostealer attacks that compromise sensitive defense information.
The defense sector remains a prime target for Advanced Persistent Threats, with 35% of politically motivated cyberattacks linked to China or Russia. Insider threats and supply chain vulnerabilities compound these risks. This case exemplifies why the Cybersecurity Maturity Model Certification (CMMC) requires contractors to certify security measures before contract approval.
Whistleblowers often play a vital role in detecting cybersecurity fraud. Chief Information Security Officers, Information Systems Security Managers, and Contract Compliance Officers are typically the first to notice security lapses. Engaging with Managed Security Service Providers could have provided these contractors with 24/7 monitoring and specialized expertise to prevent such breaches.
Basic preventive measures could have avoided this disaster: strong endpoint security, safe web browsing practices, proper authentication controls, and regular system updates. But apparently, that was too much to ask for $11.3 million in government contracts.
