Leidos reports Data Breach caused by Vulnerability in Software Provided By Diligent Corp

Leidos, a defense IT services contractor reported a data breach incident in which unauthorized individuals gained access to confidential consumer data held by the company. The breach was facilitated by a vulnerability found in software developed by Diligent Corporation.

The unauthorized access is believed to have commenced as early as September 30, 2022. On February 9, 2023, Diligent alerted Leidos about a second vulnerability, resulting in an additional period of unauthorized access that began on October 1, 2022. After conducting further investigations, it was determined that some of the files accessed by the unauthorized party contained confidential consumer information.

Neither Diligent nor Leidos has publicly confirmed the specific types of data that were compromised in the recent breach. However, on June 9, 2023, Leidos sent out individual data breach letters to all the individuals whose information was compromised in which there are detailed explanations of the specific information that was leaked in relation to each affected individual.

Update - as of 24th of July 2024, part of the data stolen in the data breach of Leidos provider Diligent was leaked on the web. The data leak includes approximately one gigabyte of files in various formats such as zip, msg, doc, jpg, png, xls/x, and pdf. These files encompass Leidos’ technical assistance documents and information related to its customers. The leaked documents were discovered on a cybercrime forum.

While Bloomberg News reviewed some of the leaked files, it could not verify their authenticity due to obscured details. The exact nature and sensitivity of the stolen documents remain unclear, though Leidos has confirmed that the incident did not involve sensitive customer data.

As of 1st of August 2024,  an anonymous source indicated that the leaked documents pertained to internal investigations managed through Diligent Corp. Previous reports suggest the data leak originated from Steele Compliance Solutions, a subsidiary acquired by Diligent in 2021. Mergers and acquisitions often involve the transfer of sensitive information, creating opportunities for hackers to exploit vulnerabilities.