Apptis Inc., a military information technology provider, repaid $1.3 million of a $5.4 million Pentagon contract after investigators said the company provided inadequate computer security and a subcontractors system was hacked from an Internet address in China.
Privately held Apptis, based in Chantilly, returned the money in February "for services that were never performed" during a three-year military health-service contract awarded in November 2004, according to the Pentagon inspector generals semi-annual report.
Apptis agreed to the repayment after the Defense Criminal Investigative Service concluded the company and a subcontractor failed to provide "proper network security and information assurance services," according to the report, released in June.
The subcontractors system under Apptis management was intruded upon "with total access to the root network" from an Internet address in China, the report said. The report didnt say when the intrusion occurred. The Pentagon started its investigation in August 2007.
Under the contract, Apptis provided software maintenance, updates and testing for a Military Health System program that standardizes reporting of health costs and includes unclassified though sensitive personnel data, according to a government description of the program.
The case illustrates "an ongoing problem in protection of Defense Department information that is not under the complete control of the department," said special agent Paul Sternal, head of the criminal services cyber crimes unit, in an interview.
"Violations such as these will be getting more attention because of the increased emphasis on cyber security," Mr. Sternal said. The agency is conducting similar investigations of other companies, he said.
Pauline Healy, an Apptis spokeswoman, said in an e-mail, "The amount we paid was to settle any and all issues surrounding performance requirements to the mutual satisfaction of both parties." Mr. Healy said the "apparent intrusion" occurred with a subcontractors system.
Mr. Sternal wrote in a 2007 article for the government-published Journal of Public Integrity that there is no law or rule requiring defense contractors to report the loss of "sensitive but unclassified defense data through cyber theft."
"This lack of reporting requirements presents a national security vulnerability," he wrote.
President Obama is seeking to improve security in government computer systems. He said in May he will appoint a White House adviser to oversee the security of all government and business computer networks in response to widespread breaches and theft of information.
The Pentagon by September will publish proposed revisions to its acquisition rules that will require improved protection of Pentagon information in its contracts, spokeswoman Cheryl Irwin said in an e-mail.