EEOC experienced security incident involving contractor’s ‘unauthorized’ access, email says

The Equal Employment Opportunity Commission was impacted in an internal data security incident that occurred around a year ago, and involved a contractor’s employees mishandling sensitive information in one of the agency’s systems, according to a notification email obtained by Nextgov/FCW.

The breach in the EEOC’s Public Portal system, which the agency was made aware of around Dec. 18, involved unauthorized access of agency data that may have exposed personally identifiable information of its employees. The notification was sent Wednesday by the EEOC’s data security office.

“Staff employed by the contractor, who had privileged access to EEOC systems, were able to handle data in an unauthorized (UA) and prohibited manner in early 2025,” it reads. “Upon discovery, the EEOC took immediate steps to secure its systems and initiated an assessment to determine the nature and scope of the incident.”

It later adds: “The review determined that certain personally identifiable information (PII) may have been exposed. Depending on the individual, this information may have included name and other identifying or contact information. The review is ongoing, and the EEOC is working with law enforcement.”

The notification email also encourages recipients to monitor their financial accounts for suspicious activity and says that agency staff will be required to reset their passwords. 

According to contracting data, Opexus, which sells case management software solutions to the federal government, was contracted with EEOC in this capacity.

A company spokesperson confirmed their involvement and said Opexus and EEOC “took immediate action when we learned of this activity, and we continue to support investigative and law enforcement efforts into these individuals’ conduct which is under active prosecution in the Federal Court of the Eastern District of Virginia.”

“While the individuals responsible met applicable seven-year background check requirements consistent with prevailing government and industry standards at the time of hire, this incident made clear that personnel screening alone is not sufficient,” the spokesperson said. 

“On the HR side, those responsible for the hiring decisions are no longer employed by the company, and we have strengthened our screening and oversight processes, including extending background checks to ten years where permitted by law, enhancing compliance training, and reinforcing controls within our hiring and termination workflows,” the spokesperson added.

“The U.S. Equal Employment Opportunity Commission takes data security seriously. This matter is under investigation by law enforcement, and the EEOC is not able to provide additional information at this time,” an agency spokesperson said. 

Nextgov/FCW has also reached out to the agency’s relevant oversight committees in Congress.

EEOC is at the center of the second Trump administration’s efforts to deter alleged “illegal discrimination” fueled by diversity, equity and inclusion programs, which over the last year have been scrutinized and dismantled at practically all levels across the federal government. The changes have trickled down to major private corporations across the country.

Last month, EEOC chairwoman Andrea Lucas addressed an X post to white men asking if they have faced discrimination in their workplace because of their race or sex, and encouraged them to report their experiences to the agency “as soon as possible.”

The incident underscores that insider threats through government contractors are a persistent and often underappreciated risk, particularly in environments where third-party personnel are granted broad or long-term access to sensitive government systems.

This story is breaking and may be updated.