The Awan IT Scandal Put Congressional Data at Risk

Congressional IT workers paid by 44 House Democrats gained unauthorized access to sensitive networks

The emails and personal files of at least 44 House Democrats could have been stolen and transferred overseas by their own IT workers, in a scandal that has been quietly brewing in Congress.

At the center of the controversy are Imran Awan, his brother Abid Awan, and five other family members and associates.

They worked as shared IT employees for 44 House Democrats and had access to the House members’ sensitive data, including emails, calendars, constituents’ data, and personal files, despite having little to no IT experience.

Click on timeline to enlarge.

All of the 44 House members had waived the background check on the employees, according to an inspector general’s report. Some of the members serve on committees that handle sensitive and sometimes classified information, such as the House Permanent Select Committee on Intelligence, the House Committee on Homeland Security, and the House Committee on Foreign Affairs.

The IT workers were paid an estimated $7 million by Congress since 2004, despite the fact that some of them were often not seen at work and in some cases worked remotely from Pakistan.

In September 2016, the House Office of Inspector General warned House leadership and the Committee on House Administration that the IT workers had made unauthorized logins on systems of House members they were not employed by, and in some cases continued to log in to the computers of members who had previously fired them. They also logged in using the personal credentials of congressmen, the office found.

The findings came during the heat of the 2016 presidential race and as WikiLeaks was publishing emails taken from the Democratic National Committee, which was chaired by Rep. Debbie Wasserman Schultz (D-Fla.), who had employed Imran Awan since 2005.

Despite the findings, access to congressional servers by the IT workers was not restricted until months later, after the election.

An analysis spanning seven months by the IG found that the five IT workers made excessive logons to a server belonging to a group similar to the DNC, the House Democratic Caucus. A total of 5,735 logons were recorded, an average of 27 times per day.

“Excessive logons are an indication that the server is being used for nefarious purposes and elevated the risk that individuals could be reading and/or removing information,” said the IG in the briefing, which was not publicly released.

The IG briefing also reveals that Dropbox had been installed on at least two computers that were uploading files online, in defiance of House policy. The Dropbox accounts contained thousands of files, which, according to the IG, contained information that was likely sensitive.

The House leaders, Paul Ryan and Nancy Pelosi, did not ban the five IT workers from the network until Feb. 2, 2017, when their access was blocked by the sergeant at arms. The Committee on House Administration put out a statement that acknowledged “suspicious activity” and said a “theft investigation” was ongoing.

Awan Family

Imran Awan, who immigrated from Pakistan to the United States in 1997 under the diversity lottery program, was hired in 2004—the same year he gained citizenship—by Rep. Xavier Becerra (D-Calif.), Rep. Gregory Meeks (D-N.Y.), and, soon after, Wasserman Schultz.

Imran quickly began earning among the highest salaries on Capitol Hill. After his salary hit a pay cap under congressional rules that prevent staffers from earning more than congressmen, other Democrats began adding Imran’s relatives to their own payrolls as IT aides, even though they did not have any background in IT.

In 2005, Imran’s brother Abid joined the payroll, and in 2007 Imran’s wife, Hina Alvi Awan, was added.

In 2011, Abid Awan’s wife, Ukrainian-born Natalia Sova, was added to the congressional payroll. Civil court documents show that during this time, Abid and his wife were running a used car dealership named Cars International A, which accepted a loan from Ali al-Attar, an Iraqi political figure of Iranian heritage who is wanted by the IRS and FBI on unrelated tax fraud charges.

In 2012, Abid Awan filed for bankruptcy, discharging $1.1 million in debts, despite his high salary. Documents showed that Abid Awan owed money to a man named Rao Abbas, who reportedly worked at McDonald’s. Shortly after, several House Democrats began paying Abbas as their ostensible IT aide.

In 2014, the youngest Awan brother, Jamal, was added to the payroll at age 20 and was soon earning as much as a congressman.

In total, the IT workers received $7 million in congressional pay and were responsible for the IT of 1 in every 5 House Democrats, or 44 in total.

Imran Awan himself took frequent trips to Pakistan and told associates he worked remotely from that country, The Daily Caller reported.

Background checks on the Awans and their associates were waived despite a number of red flags. Background checks are designed, in part, to reveal weaknesses, such as financial difficulty, that could be exploited by outside actors.

Suspicious Activity on Server

The House Democratic Caucus, whose server was identified as ground zero of the cybersecurity problems, was led by Becerra from 2013 to January 2017, when he became California’s attorney general.

The total logons onto the system, 5,735 during a seven-month period, were considered suspicious, as the computers in offices managed by the shared IT employees were accessed in total less than 60 times during the same time period.

The IG investigation also revealed that the “pattern of login activity suggests steps [were] being taken to conceal their activity.” This included the use of active role servers, which could have been used to grant access on a temporary basis and could have been used to evade network monitoring.

The Democratic Caucus server “could be used to store documents taken from other offices or evidence of other illicit activity,” according to the IG presentation.

The unusual login activity could also indicate computers were “used as a launching point to access other systems for which access may be unauthorized.”

The installation of Dropbox on two Democratic Caucus computers used by the IT workers raises concerns that those computers could have been used to transfer data out of Congress to other groups or nation-states.

According to other congressional IT workers, congressional staff and IT workers are prohibited from using Dropbox due to security concerns.

“While file sharing sites, such as Dropbox, have legitimate business purposes, use of such sites is also a classic method for insiders to exfiltrate data from an organization,” the IG report states.

Sensitive Data and Potential Blackmail

Among the data hosted on the IT systems of House members are emails, calendars, House members’ personal files, and personal information of constituents who have contacted their representative’s office.

Such sensitive data could prove useful to companies and other entities around the world.

“We know that there are countries and companies, entities around the world, who would pay a lot of money to have access to some members’ calendars, to their e-mails, see who they are meeting with, see what they’re saying about those meetings, that could be very valuable information,” said Rep. Louie Gohmert (R-Texas), during an informal hearing on the issue in Congress on Oct. 10, 2017.

In certain cases, personal files and data could also be used to blackmail politicians.

Investigations

Following its warning to House leadership on Sept. 20, 2016, the Office of Inspector General provided another briefing on Sept. 30, warning of “continuing unauthorized access” by the IT workers.

The investigation was then taken away from the inspector general in October and handed over to Capitol Police, despite the police having no cybersecurity expertise. In January, Imran Awan was able to travel to Pakistan unimpeded.

A server belonging to the House Democratic Caucus was stolen after the inspector general’s report named it as evidence in a hacking probe, three senior government officials told The Daily Caller. Around the same time, the head of the caucus, Rep. Xavier Becerra (D-Calif.), left Congress to become California’s attorney general.

On Feb. 2, 2017, the sergeant at arms officially banned the IT workers from the House network. A day later, most of the 44 House Democrats ended their contracts with the IT workers and fired them.

Wasserman Schultz did not fire Imran, saying the IT worker could service her technology needs without connecting to the House network. She also added Hina Alvi Awan as a second IT aide well after the investigation was underway.

In March 2017, Hina left for Pakistan with her children without notifying their schools. Prosecutors say that FBI agents had been surveilling her, and that they approached her at the airport, where she refused to speak to them. A search revealed Hina was carrying $12,400 in cash and many of her personal belongings, some packed in cardboard boxes. Despite this, she was allowed to board the plane.

When Imran Awan tried to leave the country on July 24, the FBI arrested him at the airport. A month later, on Aug. 17, both Imran and Hina were indicted for bank fraud. In September, Hina reached a deal with prosecutors to return to the United States from Pakistan.

Missing IT Equipment

The initial investigation by the Office of Inspector General also found that the shared IT employees were involved in irregular purchases of technology, such as iPads, iPhones, and other equipment.

Under congressional rules, inventory must be kept of all purchases by House members of equipment that has a purchase price of $500 or more. The IG found that some offices that employed the Awans were signing off on forms that manipulated pricing to make expensive products appear like they cost less than that.

Examples of purchases made this way include an iPad with an original cost of $799, that was billed for $499 together with Apple Care that was billed for $350, despite its actual cost being $88. To accomplish this, the Awans allegedly worked with CDW Government, a major government contractor, which says it is cooperating with prosecutors but has been told it is not a target.

The IG report also found that 75 pieces of equipment with a total purchase price of $118,416 went missing from one of the offices where Abid Awan worked. The office was later revealed to be that of Rep. Yvette Clarke (D-N.Y.). The missing equipment included laptops, iPads, TVs, video conferencing equipment, and computers. The IG report said Abid Awan, who was responsible for the equipment, made contradicting statements about it.

Family members of the Awans told The Daily Caller that they shipped a significant number of devices, such as iPads and iPhones, to Pakistan.

But one of Imran Awan’s lawyers said it was congressmen who wanted invoices falsified. “This is what experienced members of Congress expect: to expedite things, they adjust the pricing,” Aaron Page told The Daily Caller.

Abid Awan’s attorney, Jim Bacon, told The Washington Post: “In a fluid situation, you do what you’re ordered to do. … It sounds to me like there’s a lot of scapegoating here.”

Wasserman Schultz’s Laptop

Two months after being banned from the House IT network by the sergeant at arms, Imran Awan left a laptop with a username “RepDWS” in a phone booth, along with a letter to prosecutors and copies of his House ID card and driver’s license, according to a Capitol Police report. The bag was found by Capitol Hill police and seized.

During a televised hearing on May 18, 2017, Wasserman Schultz threatened the Capitol Police chief with “consequences” if the laptop was not returned. She hired a lawyer in an attempt to prevent prosecutors from looking at the contents of the laptop.

In August 2017, Wasserman Schultz seemingly changed course, saying: “This was not my laptop. I have never seen that laptop. I don’t know what’s on the laptop.”

Emails of Wasserman Schultz released by WikiLeaks reveal that Imran Awan had the login to her iPad. This means he would have had access to all of her personal information, including her calendar, emails, and notes.

In an October court appearance, Imran Awan’s lawyer, Chris Gowen, said he feels “very strongly” that the “RepDWS” laptop should not be used as evidence, citing attorney-client privilege. Both Imran Awan and Wasserman Schultz have been provided with an image of its hard drive.

In the six months since, prosecutors have postponed the next court date four times, pointing to “voluminous discovery” and discussions about the attorney-client privilege argument. Observers of the justice system say such delays would not be necessary for a bank fraud case and tare a sign that prosecutors are stalling while they build the cybersecurity and fraud cases.

Imran Awan remains out of jail with a GPS tracking monitor, which his lawyer has repeatedly requested be removed. On Dec. 18 prosecutors objected to that request. “Taking into account (1) Awan’s strong connections to Pakistan, (2) the wealth he already transferred there, and (3) his attempt to depart to Pakistan while knowing he was under investigation, the government asserts that Awan is a flight risk,” they wrote.

Epoch Times reporter Joshua Philipp contributed to this report.