Data pilfered from Pentagon IT supplier Leidos

With numerous US government agency customers, any leak could be serious

Updated Internal documents stolen from Leidos Holdings, an IT services provider contracted with the Department of Defense and other US government agencies, have been leaked on the dark web.

The Leidos files that have made their way into the wild are claimed not to hold any "sensitive customer data," but the incident highlights the need for greater security awareness.

The documents are believed to have been stolen in a previously disclosed attack and data theft at Diligent Corporation, a provider of governance software. Leidos, which is a Diligent customer, is said to have only recently learned that the documents were currently being circulated, although the original attack happened in 2022, according to a Bloomberg report citing an anonymous source.

A spokesperson for Leidos told The Register that the documents now leaked online were swiped during an earlier incident "affecting a third-party vendor" and that all necessary data breach notifications had been sent out in 2023. The theft did not involve any sensitive customer data, the spokesperson insisted.

We understand the pilfered info mostly concerns internal Leidos corporate data, such as reviews of employee issues and complaints, rather than anything militarily sensitive.

Leidos merged with Lockheed Martin's Information Systems & Global Solutions (IS&GS) business in 2016 to form one of the defense industry's largest IT services providers. As well as the Department of Defense, it provides services for the Department of Homeland Security, NASA, and other US government agencies, making any leak of internal information potentially serious.

According to Bloomberg, Leidos was using the Diligent service to hold "information gathered in internal investigations," but it is not clear exactly what kind of information this might be. The news agency claims it was able to view the documents that cyber-criminals claimed originated from Leidos on a "cybercrime forum."

Suffice to say, claims by data thieves on the internet should always be treated skeptically: Boasts about info being stolen and leaked from a military IT supplier can boil down to the – of course, unfortunate – dumping of contractor employee records online as opposed to Uncle Sam's top secrets.

We asked the US Department of Defense for comment on the matter.

Leidos is also likely to face greater scrutiny from its customers as it weighs up any potential damage and looks to prevent any such future incidents.

The company, which is headquartered in Reston, Virginia, has a workforce of about 47,000 employees and primarily serves customers in heavily regulated industries. Leidos reported revenue of $15.4 billion for its fiscal year ended December 29, 2023.

Leidos announced earlier this month that it has won a contract to continue providing cargo mission engineering and integration services for NASA's International Space Station (ISS) Program and Artemis campaign, said to be worth $476 million. ®

Updated to add at 1533 UTC on July 24

A Diligent spokesperson told The Register: "This matter appears to concern an incident that took place in 2022 affecting Steele Compliance Solutions, an entity Diligent acquired in 2021. In November 2022, upon identification of the incident, we promptly notified impacted customers and took immediate corrective action to contain the incident. This incident did not impact Diligent Boards or any of our other products.

"We take security very seriously and believe we have taken the necessary steps to ensure any acquired company meets the same standard that our clients expect in a Diligent product."

More about

TIP US OFF

Send us news


Other stories you might like