Hackers have reportedly leaked stolen internal documents from Leidos Holdings Inc., one of the largest information technology services providers to the U.S. government and notably a Pentagon contractor.

Bloomberg, referencing a person familiar with the matter, claims that Leidos recently learned of the issue and believes that the documents were stolen as part of a breach of Diligent Corp. disclosed in 2023. Leidos is a Diligent customer. An investigation into the leak is ongoing.

A spokesperson for Leidos confirmed the breach, saying that “we have confirmed that this stems from a previous incident affecting a third-party vendor for which all necessary notifications were made in 2023,” and that “this incident did not affect our network or any sensitive customer data.”

Though the Diligent breach was formally reported in 2023, it dates back to 2022. As reported at the time, an unauthorized actor gained access to a network supporting Steel Compliance, a firm acquired by Diligent in 2021, on May 21, 2022. The breach was detected on May 23 and then contained on May 24.

Leidos used Diligent’s systems to host information gathered in internal investigations and notes. What was in the leaked documents, where they have been leaked, and by whom has not been disclosed.

The company’s customers include the U.S. Department of Defense, the Department of Homeland Security, the National Aeronautics and Space Administration and various other government bodies and commercial customers. Notably, the company was recently awarded a $476 million contract with NASA to provide cargo mission engineering and integration services for the International Space Station and NASA’s Artemis program.

Dr. Ilia Kolochenko, chief executive officer at security company ImmuniWeb SA and adjunct professor of cybersecurity and cyber law at Capital Technology University, told SiliconANGLE that in light of the recent drama around CrowdStrike Holdings Inc., this new case illustrates fundamental flaws with third-party risk management.

“While some large companies and governmental agencies take third-party risk management extremely seriously, they still fail to adequately mitigate the root cause of the problem,” Kolochenko said. “Worse, some TPRM programs indistinctively impose costly and time-consuming due diligence on most vendors, without considering vendor-specific risks, threats and vendor’s overall trustworthiness. Eventually, the one-size-fits-all approach miserably fails, and despite sometimes-draconian risk assessments of vendors and suppliers, numerous foreseeable but unaddressed risks continue triggering massive data breaches.”

Image: SiliconANGLE/Ideogram