A federal contractor that helps support the government’s sprawling background check operations for years hosted an NCAA tournament wagering website on one of its corporate servers, which has resulted in the public disclosure of hundreds of names and the personal, corporate and government email addresses of participants.
The company, NT Concepts, wouldn’t say whether it intended for the information to be made public after The Washington Times raised questions about why a wagering website was public and hosted under a company domain.
But officials insist there was never any security risk from the disclosure because the now-shuttered March Madness website was set up on an external server isolated from internal corporate servers.
However, online security experts disagree, saying a list of email addresses associated with a federal contractor offers a clear road map for would-be hackers to attack the company or to target firms or individuals that may be associated with the contractor. While removed from the company’s site now, the records remained visible on Google.
“This is just perfect for a hacker,” said Neal O’Farrell, a security expert at CreditSesame.com. “Every person on this list is a much easier and more vulnerable target than they were before.”
Phil Becnel, managing partner of Dinolt Becnel & Wells Investigative Group in Washington, said the problem is that an email address isn’t just an email address.
“It’s also potentially a login and an opportunity to phish someone connected to the target,” he said.
“So, from the standpoint of an adversary, a list of employees and their personal email addresses would be a pretty good place to start if you wanted to hack a company.”
In a statement, the company said that participation of a “few NT Concepts-related individuals” in the pool never threatened the security of the company’s computers, systems or databases.
“The March Madness pool was hosted on an external server that was completely separate from the company’s internal servers, systems and databases these are protected by the company’s firewall,” NT Concepts’ executive vice president Chris Cusano said in a statement.
“We do not have sensitive customer information on our network, nor do we intend to host such information. There is simply no connection between the March Madness pool that we shut down years ago and NT Concepts’ cybersecurity today.”
The firm, which was recently awarded an Office of Personnel Management contract to support background investigative services, also distanced itself from the pool, saying it was set up by an individual not involved with the company.
Records show participants paid by check, credit card and PayPal. The company told The Times that it doesn’t condone office pools and that the president of the firm was involved on a personal, voluntary basis.
The online records located by The Times, all still visible on Google as of last week, included more than 340 unique names and email addresses of participants as well as documents indicating that the company president, Michele Bolos, was involved in the operation of the tournament pool, which spanned years.
One participant, an Army official, was reached through a phone number Monday that was among the records once included on the site. He declined to comment on whether he expected his email and phone to end up on the Internet.
The Times also raised questions with officials about a separate group of documents concerning the company’s work for the U.S. Forest Service on the development of a wildfire monitoring application.
One document included a username and password, but the company said there was no risk with that disclosure either. In its statement, the company said the information was used for a demo site and that the format and structure of the user name and password didn’t follow the company’s structure governing access to its own corporate systems.
Taken together, however, Fred Cate, a security expert and professor at Indiana University, said the information disclosed under a corporate domain was “disturbing.”
“Security is far more than just locks and firewalls,” he said. “It involves employee education and sensitivity. It requires good judgment and a recognition that even little gaps may have serious consequences, and it is about an attitude of consistent vigilance.”
Todd Feinman, chief executive of Internet security firm Identity Finder, said the disclosure doesn’t classify as the sort of data breach that should be reported to authorities, but he said the information shouldn’t have been made public or disclosed on a company website.
He said it’s troubling in that many people — including those who aren’t employees of NT Concepts but who may work for the government or other contractors — could use their same emails as logins for other sites, giving hackers half the information they need.
“At the end of the day, there’s a risk, because it’s a social engineer’s dream to have this information at their fingertips,” he said. “This is a perfect staging for a launchpad to launch attack, because your social engineers can connect all of these dots.”
While the company said its own employees and servers were secure, the records obtained by The Times included many email addresses of individuals who appeared to be outside the company, including a handful of government employees.
While Mr. Feinman said it’s not a massive security breach that should result in firings, it’s also “not a best practice to make email addresses and full names of employees publicly known.
“It is simply spoon-feeding social engineers information they need to try to attack your company,” he said.
NT Concepts announced in 2011 that it had won an $18.5 million, five-year contract to support background investigation services and conduct records searches for the Office of Personnel Management. The company provides support services but isn’t involved in field work, according to an OPM contract award last week.
The award, which redacted the amount, was for one year. It’s unclear whether OPM officials were aware of the now-shuttered wagering site.
“A contract has been awarded to Next Tier Concepts (NT Concepts) to provide support services for OPM’s background investigations program,” an OPM spokeswoman said in a statement. “We have no expectation that any sensitive data will be shared to the company’s network.”