A key US Military contractor’s confidential research data was exposed to hackers sponsored by the Chinese military for more than three years, in what is just the latest in a string of high-profile cyberespionage scandals.

The claims, reported by Bloomberg yesterday, revealed that the hackers gained unrestricted access to hundreds of classified and highly-sensitive military technical documents belonging to QinetiQ North America, a division of the UK-based defence company QinetiQ, which went onto make serious errors in its handling of the situation. The company was repeatedly hacked from 2007 to 2010 by a group known as the “Comment Crew”, which has been linked to the PLA unit 61398 that was exposed by Mandiant earlier this year. Yet despite receiving early warning of the breach, the firm failed to beef up its security systems, allowing the hackers to pilfer classified data for three years until their access was finally cut off.

It’s no secret that cyberespionage is a growing problem for the US, which has been rocked by a number of high profile hacking incidents in the past few months. In this latest breach, Bloomberg reports that the hackers were detected as early as December 2007, when two employees noticed that confidential data had been deleted from the company’s system. One month later, the hackers were spotted attempting to hack into NASA’s computer systems from a QinetiQ computer.

One might think that QinetiQ would take immediate action following these warnings, but apparently that wasn’t the case. Internal company emails obtained by Bloomberg instead reveal a series of poor decisions that exacerbated the situation. QinetiQ brought in security firms Mandiant, HBGary and Terremark to deal with the intrusions, but the monitoring software used by these companies slowed down employee’s computers so much that company chiefs eventually gave them permission to uninstall the software.

In another key error, Mandiant advised QinetiQ that Comment Crew was gaining access to its systems in the simplest way possible – by stealing employee passwords and logging in as normal. The security firm suggested a fix, most likely some kind of two-factor authentication, but QinetiQ failed to act on this advice.

The result of these errors was that, for the next three years, hackers were able to invade almost every corner of QinetiQ’s computer systems. During this time they stole more than 13,000 user passwords, gaining access to servers storing some of the company’s most sensitive information.

Among the confidential files stolen were more than 3.3 million pages of Excel spreadsheets relating to QinetiQ’s drone and robotics technology group, as well as data relating to its work with the US Army’s helicopter fleet, advanced robotics, and satellite espionage.

In addition, it turns out that Comment Crew weren’t the only foreign actors enjoying a free reign in QinetiQ’s systems. In 2008, an investigation found that an employee’s computer was being used to send confidential data to a server based in Russia. The information had been routed in that way for about two and a half years, according to investigators.

Bloomberg obtained much of its information from private HBGary emails that were hacked by Anonymous in 2011. Some of these communications reveal the true scale of QinetiQ’s infiltration:

“All their code and trade secrets are gone. Oh yeah… they are fucked,” wrote HBGary’s senior security engineer Phil Wallisch in one communication.

So far, the US government has taken no action against the contractor. The US State Department has the right to revoke QinetiQ’s license to work with classified military technology in the event of negligence, yet incredibly, despite its errors, the firm has actually been awarded a new $4.7 million contract to help protect transport infrastructure against cyberattacks.