Contractor’s Background Checks Under Scrutiny after Massive Breach Traced to Twin Brothers Previously Convicted of Hacking
A major federal data breach is traced to twin brothers who were working at a government contractor, and had previously spent time in prison for hacking the U.S. State Department and a cosmetics company. Their hiring by Opexus was called a “major lapse” in security measures.
The brothers, Muneeb Akhter and Suhaib Akhter, worked as engineers at Opexus, a contractor that provides software services for processing government records. It is owned by the private equity firm Thoma Bravo.
Bloomberg News reported details of the case.
According to an internal investigation from Opexus along with a second investigation from Google-owned cybersecurity firm Mandiant, the brothers accessed troves of sensitive documents and compromised or deleted more than 30 government databases.
Impacted databases include those containing data from the Internal Revenue Service (IRS) and the General Services Administration (GSA). The brothers are also accused of removing more than 1,800 files related to one government project.
Computer Prodigies Turned Criminals
Long before a string of incidents, the brothers had a reputation as “computer prodigies.”
The Virginia natives graduated from George Mason University at age 19 in 2011 with degrees in electrical engineering. They went on to earn masters degrees in computer engineering and received a grant to conduct cybersecurity research for the Defense Advanced Research Project Agency (DARPA).
But then things went south.
According to the Department of Justice, while Muneeb worked as a contractor for the Department of Homeland Security, he hacked into the website of a cosmetics company and stole thousands of credit card numbers, which were used to fund vacations.
At the same time, Subhaib was working as an information technology support contractor for the State Department’s Bureau of Consular Affairs. According to DOJ, Subhaib accessed sensitive computer systems and removed passport and visa information belonging to friends, a former employer, and a federal law enforcement agent who was investigating his conduct. Prosecutors say the twins hoped to sell fake passports and visas by installing a device to provide unauthorized remote access to the State Department’s computer systems.
Muneeb was sentenced to three years in prison, while Suhaib received a two-year sentence.
Hired at Opexus
After getting out of federal prison, the brothers worked various engineering-related jobs before both ended up at Opexus, which declined to comment to Bloomberg on whether it conducted a background check before hiring them.
While at Opexus, the brothers worked on electronic case management and had access to two major software systems: one that manages audits of government agencies and one that processes and tracks public records requests including freedom of information (FOIA) requests.
Eventually, their criminal past was found out, after Suhaib was offered a role at the Federal Deposit Insurance Corporation Office of Inspector General, which required a background check. FDIC officials learned of their criminal records and flagged the brothers as insider threats to Opexus’s chief information security officer.
According to Bloomberg, the Akhter brothers were summoned into a virtual meeting with HR and fired. But during that meeting Muneeb Akhter accessed an IRS database and blocked others from connecting to it, and accessed and deleted 34 databases, including one from GSA.
Investigations Underway
Inspectors general at more than a dozen federal agencies have been investigating the incident, and are still trying to identify the universe of government records and data potentially accessed, copied and removed by the Akhters, according to five people familiar with the matter. The FBI and other federal law enforcement agencies are now investigating.
Muneeb and Sukhaib Akhter denied wrongdoing in an interview with Bloomberg.
“I don’t recall any of this stuff,” Muneeb Akhter said. “Anything I did was for work purposes. I don’t know how this can be linked to me.”
