Two consulting firms, Guidehouse and Nan McKay and Associates, have agreed to pay a total of $11.3 million to resolve allegations of cybersecurity failings over their roll-out of COVID-19 assistance.

The fines break down thus: Guidehouse, formerly PwC's US public sector arm and still headquartered in McLean, Virginia, has agreed to pay $7.6 million, while consultancy NMA - based in California's El Cajon - agreed to shell out $3.7 million. An ex-Guidehouse employee who blew the whistle on this affair earned themselves $1,949,250 as part of the settlements.

Of course, this is a mere slap on the wrist for Guidehouse, which reportedly raked in $5.5 billion in revenue last year. NMA has a reported annual revenue of about $190 million.

Here's what happened, according to the US Justice Department and settlement agreements issued last month.

Both firms had been selected by New York to administer that state's emergency rental assistance program (ERAP). ERAPs were established by Congress across the US in early 2021 as part of the federal government's COVID relief funding efforts. These safety-net programs provided financial aid to low-income folks during the pandemic lockdown to help cover the costs of rent, utilities, and other housing-related expenses.

Each state that participated in the program was required to select an agency to distribute federal funds to eligible tenants and landlords. In New York, the Office of Temporary and Disability Assistance (OTDA) was that agency, and in May 2021 it inked a $310 million contract with Guidehouse as the prime contractor responsible for providing ERAP technology and services to New Yorkers.

NMA, hired as Guidehouse's subcontractor, was responsible for providing the ERAP system used by New York residents to submit online applications requesting rental assistance.

The consulting firms were supposed to ensure that this ERAP application underwent proper cybersecurity testing before deployment. But, according to the settlements, neither NMA nor Guidehouse's testing tools worked, and they cleared it for launch anyway.

"Ultimately, neither Guidehouse nor NMA satisfied their obligation to complete the required pre-production cybersecurity testing," the NMA settlement noted [PDF]. 

Still, the New York State ERAP went live as planned on June 1, 2021, and individuals' sensitive information loss started almost immediately. About 12 hours after the ERAP application was online, the OTDA notified both consulting firms that certain data from the applications had been leaking onto the internet.

"Although an investigation conducted by a third party retained by NMA in consultation with Guidehouse determined that no Personally Identifiable Information ('PII') was viewed or used by unauthorized parties, the 'Information Security Breach' protocol was triggered under the ERAP Prime Contract because PII was accessed by commercial search engines for a limited group of individuals," the court document said.

As part of the settlements, both Guidehouse and NMA acknowledged that if they had performed the contractually mandated security testing, the data loss may have been prevented.

Also, as part of its settlement [PDF], Guidehouse admitted that between November 10 and December 14, it used an unnamed "third-party data cloud software program" to store PII without first obtaining the state's approval. This was also in violation of its contract. 

"Contractors who receive federal funding must take their cybersecurity obligations seriously," said US Attorney Carla Freedman for the Northern District of New York. "We will continue to hold entities and individuals accountable when they knowingly fail to implement and follow cybersecurity requirements essential to protect sensitive information."

Neither Guidehouse nor NMA responded to The Register's request for comment. ®

https://www.theregister.com//2024/06/17/guidehouse_nma_fined/