A major USAID contractor said it was hacked in 2021. It’s still not sharing details
Chemonics, an international development firm that has received billions in government contracts and has described USAID as its “primary client,” suffered a hack that impacted its employees back in 2021. Three years later, neither the company nor the agency is commenting on what actually happened.
According to a consumer data breach notice filed with the Maine attorney general’s office, the attack was described as an “external system breach” and “hacking” that impacted more than 6,000 people. The alert came after the company discovered “anomalous activity in its email environment” on July 12, 2021, also according to a filing with New Hampshire’s attorney general.
That notice said that either an “unauthorized” actor or actors obtained access to company email accounts between March 2 and July 13 of that year — though Chemonics couldn’t identify the specific emails that were impacted, the company said in the disclosure. “The investigation also found no conclusive evidence of data exfiltration, and we have no evidence of actual or attempted misuse of personal information,” the notice stated.
The extent to which different types of information were released is unclear. The Maine notification said that driver’s license numbers and non-driver identification card numbers were released. The New Hampshire notice said that emails with individuals’ names and social security numbers were revealed in the breach — though “financial account information without corresponding access codes” was also included in some emails. The legal website JD Supra wrote that “access credential information” was also accessed, but the author did not respond to FedScoop’s request regarding the source of that information.
Chemonics isn’t answering questions about what steps it’s taken to address the potential impact of the event on USAID, which the company works with in myriad partner countries. Nor did the company address whether it reported the incident to the Cybersecurity and Infrastructure Security Agency, the type of information impacted, or whether it has suffered any other breaches.
“We are continually adapting and updating our cybersecurity policies and procedures to ensure we are current with the ever-evolving cyber threat landscape that impacts us all,” a Chemonics spokesperson said in response to a series of questions from FedScoop. “While we cannot comment on any specific cybersecurity incident, we are committed to safeguarding all data entrusted to us.”
The spokesperson continued: “It is our practice to work transparently and proactively with our staff, clients, and partner organizations who may be affected by any potential incident, including complying with applicable laws. Cybersecurity continues to be a priority focus for Chemonics as we seek to achieve meaningful development impact in complex contexts around the world.”
Turke & Strauss, a law firm specializing in data breaches, states on its website that it’s investigating the company over the incident. The firm declined to discuss their work on the topic.
Notably, Chemonics appears to have had three chief information security officers in the past three years, though the company did not answer FedScoop’s question about whether anyone held the position before October 2021, when an individual on LinkedIn said that they started the position. The data breach notifications written in 2021 came from Pete Souza, who was described at the time as the director of cybersecurity, infrastructure, and system administration at Chemonics.
Those impacted were provided identity theft protection from the company, as well as active credit monitoring, per the disclosures. Notices for residents of states including Vermont, Montana, Massachusetts, and other states are available online.
In regard to the incident, CISA referred FedScoop to Chemonics. So did a USAID spokesperson, who only added the following: “USAID takes the security and confidentiality of all our partners very seriously. Strong cybersecurity practices and policies are critical to the success of USAID and its partners. “
Back in May 2021, the Russian-backed group Midnight Blizzard, which was previously called Nobelium, orchestrated a cyberattack by impersonating USAID through its Constant Contact email marketing service to send “malicious links” to organizations that worked with the agency. Chemonics did not address whether this breach was related to Midnight Blizzard or that particular incident.