Major USAID contractor Chemonics says 263,000 affected by 2023 data breach

A large contractor for the U.S. government said a 2023 cyberattack exposed the critical personal information of more than 263,000 people.

Chemonics, an international development firm with $1.4 billion in U.S. government contracts, announced the incident this week — notifying regulators in several states and posting a notice on its website. 

The company said it discovered suspicious activity on December 15 and launched an investigation that revealed hackers had been in its systems since May 30, 2023 and continued to have access until January 9, 2024.

Chemonics declined to comment about why the company waited more than a year to notify victims but said the investigation “took time to complete.”

“Due to the sensitive nature of this issue, we’re not able to share a detailed response to your question,” a spokesperson said. “We continue to closely monitor our systems for any unusual activity.  There is no ongoing unauthorized access, and the incident has been contained and remediated.”

The information stolen includes Social Security numbers, state ID information, passports, U.S. military ID information, health information, biometric data and even signatures. 

The company said it is providing credit monitoring services but noted that access will be “based on the personal information that was potentially impacted.”

Filings with regulators in Maine said 263,136 people were impacted. 

Founded in 1975, Chemonics works in more than 70 countries around the world with about 4,000 experts providing capacity building services focused on food security, healthcare, democracy and governance, trade, education and more. 

It has received billions through contracts with the Agency for International Development (USAID) over the last decade.

At least one law firm said on Thursday that it is investigating a class action lawsuit related to the data breach. 

Chemonics is the latest major U.S. government contractor impacted by a cybersecurity incident. Another major contractor for the U.S. government, ENGlobal Corporation, warned regulators earlier this week that a ransomware attack was limiting its operations. 

In June, two federal contractors paid a total of $11.3 million in civil penalties to the U.S. government after admitting they failed to properly test the cybersecurity of a system for providing financial assistance to low-income people in New York during the COVID-19 pandemic.