Thanks to the blog reader who directed me to the Washington Times story Contractor returns money to Pentagon:
Apptis Inc., a military information technology provider, repaid $1.3 million of a $5.4 million Pentagon contract after investigators said the company provided inadequate computer security and a subcontractors system was hacked from an Internet address in China...
Apptis agreed to the repayment after the Defense Criminal Investigative Service concluded the company and a subcontractor failed to provide "proper network security and information assurance services," according to the report, released in June.
The subcontractors system under Apptis management was intruded upon "with total access to the root network" from an Internet address in China, the report said.
Wow. Can anyone think of another case where a company was "fined" by a customer for an intrusion? Usually we only hear of PCI issues.