Shoddy infosec costs PwC spinoff and NMA $11.3M in settlement with Uncle Sam
Pen-testing tools didn't work – and personal info of folks hit by pandemic started appearing in search engines
Updated Two consulting firms, Guidehouse and Nan McKay and Associates, have agreed to pay a total of $11.3 million to resolve allegations of cybersecurity failings over their roll-out of COVID-19 assistance.
The fines break down thus: Guidehouse, formerly PwC's US public sector arm and still headquartered in McLean, Virginia, has agreed to pay $7.6 million, while consultancy NMA – based in California's El Cajon – agreed to shell out $3.7 million. An ex-Guidehouse employee who blew the whistle on this affair earned themselves $1,949,250 as part of the settlements.
Of course, this is a mere slap on the wrist for Guidehouse, which reportedly raked in $5.5 billion in revenue last year. NMA has a reported annual revenue of about $190 million.
Here's what happened, according to the US Justice Department and settlement agreements issued last month.
Both firms had been selected by New York to administer that state's emergency rental assistance program (ERAP). ERAPs were established by Congress across the US in early 2021 as part of the federal government's COVID relief funding efforts. These safety-net programs provided financial aid to low-income folks during the pandemic lockdown to help cover the costs of rent, utilities, and other housing-related expenses.
Each state that participated in the program was required to select an agency to distribute federal funds to eligible tenants and landlords. In New York, the Office of Temporary and Disability Assistance (OTDA) was that agency, and in May 2021 it inked a $310 million contract with Guidehouse as the prime contractor responsible for providing ERAP technology and services to New Yorkers.
NMA, hired as Guidehouse's subcontractor, was responsible for providing the ERAP system used by New York residents to submit online applications requesting rental assistance.
- Blackbaud has to cough up a few million dollars more over 2020 ransomware attack
- Feds sue Adobe and execs for stinging subscribers with 'hidden' cancellation fees
- Clearview AI reaches 'creative' settlement with privacy suit plaintiffs: A conditional IOU
- NYSE parent gets $10M wrist tap for failing to report 2021 systems break-in
The consulting firms were supposed to ensure that this ERAP application underwent proper cybersecurity testing before deployment. But, according to the settlements, neither NMA nor Guidehouse's testing tools worked, and they cleared it for launch anyway.
"Ultimately, neither Guidehouse nor NMA satisfied their obligation to complete the required pre-production cybersecurity testing," the NMA settlement noted [PDF].
Still, the New York State ERAP went live as planned on June 1, 2021, and individuals' sensitive information loss started almost immediately. About 12 hours after the ERAP application was online, the OTDA notified both consulting firms that certain data from the applications had been leaking onto the internet.
"Although an investigation conducted by a third party retained by NMA in consultation with Guidehouse determined that no Personally Identifiable Information ('PII') was viewed or used by unauthorized parties, the 'Information Security Breach' protocol was triggered under the ERAP Prime Contract because PII was accessed by commercial search engines for a limited group of individuals," the court document said.
As part of the settlements, both Guidehouse and NMA acknowledged that if they had performed the contractually mandated security testing, the data loss may have been prevented.
Also, as part of its settlement [PDF], Guidehouse admitted that between November 10 and December 14, it used an unnamed "third-party data cloud software program" to store PII without first obtaining the state's approval. This was also in violation of its contract.
"Contractors who receive federal funding must take their cybersecurity obligations seriously," said US Attorney Carla Freedman for the Northern District of New York. "We will continue to hold entities and individuals accountable when they knowingly fail to implement and follow cybersecurity requirements essential to protect sensitive information."
Neither Guidehouse nor NMA responded to The Register's request for comment. ®
Updated to add on June 18
NMA sent us the following statement saying it wasn't planning on changing anything. Strange.
“Nan McKay is pleased to have reached a settlement with the government resolving all allegations without any admission to liability under the False Claims Act," a spokesperson told us.
"Nan McKay has, over the course of its 40 plus years, been recognized nationally as among the most trusted companies for administering housing programs. None of the industry-leading people, processes or technologies that earned us that reputation have changed as the result of our May 13, 2024, Settlement Agreement with the US Department of Justice.”