Cyber Incident Victim: Northrop Grumman
Date:
Apr 2016
Location:
United States of America
Summary
A defense contractor experienced unauthorized access to an employee tax portal, compromising sensitive personal and tax information including names, Social Security numbers, wage details, and security question answers. The breach occurred through stolen login credentials rather than a direct system compromise, affecting workers' W-2 forms. The contractor disabled external portal access, restricting entry to internal single sign-on systems, and partnered with a third-party provider to investigate the incident alongside law enforcement. Impacted individuals received three years of identity-theft monitoring services. The external vendor confirmed no evidence of its systems being breached, attributing the incident solely to credential misuse.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
Between April 18, 2016, and March 29, 2017, unauthorized individuals gained access to an internal employee portal operated by Northrop Grumman, compromising sensitive tax records. The breach exposed W-2 forms for the 2016 tax year belonging to employees of the aerospace and defense contractor. Attackers accessed personal information including names, addresses, Social Security numbers, employer identification numbers, wage and tax details, work contact information, and any personal phone numbers or email addresses employees had entered into the portal. Customized security question answers stored in the system were also potentially compromised. The intrusion was discovered prior to March 29, 2017, with Northrop Grumman confirming the incident and initiating an investigation with its third-party portal provider, Equifax Workforce Solutions. The company notified affected employees and the California Attorney General’s office via letters dated April 18, 2017—the deadline for filing 2016 tax returns—highlighting the risk of identity theft and fraudulent tax refund claims stemming from the exposed data.
Northrop Grumman implemented containment measures by disabling external access to the compromised W-2 portal, restricting entry exclusively through its internal single sign-on system. The company offered three years of complimentary identity theft monitoring services to impacted personnel. Equifax Workforce Solutions, which managed the portal infrastructure, asserted its systems were not directly breached, attributing the incident to attackers using stolen credentials rather than exploiting technical vulnerabilities. Both organizations coordinated with law enforcement to support investigations into the unauthorized access. No evidence suggested Equifax’s systems were the source of the credential theft. The defense contractor emphasized its collaboration with Equifax to determine the breach’s scope and mechanism while maintaining operational continuity for its workforce and government contracts throughout the response period.