Hackers that breached an Energy Department personnel database in July got away with more sensitive data than first disclosed by the government, including some banking information and password security questions of the 104,179 individuals affected, according to internal investigators.
A special report released by the Energy Inspector General on Friday details the postmortem of an intrusion into the DOE Employee Data Repository, or DOEInfo, the main Rolodex of records on current and former department employees, dependents and contractors.
“Breached information exceeded just names, dates of birth and Social Security numbers as initially reported by the department,” Energy IG Gregory H. Friedman wrote in the Dec. 6 audit. “We noted through investigation or discussions with officials that select bank account numbers, places of birth, education, security questions and answers, and disabilities were also included in the loss of information.”
At the time of the probe, which concluded earlier this month, Energy officials were still in the process of notifying affected employees, contractors and dependents. On Friday, department officials said they had contacted more than 99 percent of the people.
“The Energy Department takes the security of its databases and cyber systems very seriously and appreciates the Inspector General’s review as it continues to take aggressive steps to minimize the impact of the July attack and prevent future cyber incursions,” Energy spokeswoman Niketa Kumar said in a statement.
A timeline of events outlined in the report reveals a developer first noticed odd activity in system logs more than three weeks before the hackers got in, raising questions about whether the situation could have been contained earlier.
After the developer detected the abnormality on July 2, the Office of the Chief Information Officer was notified. The division determined "someone was repeatedly attempting to access the server running" the management information system that connects to DOEInfo, according to the investigation.
On July 24, without anyone noticing, the "server was breached," according to a forensic analysis conducted following the incident.
It would be another two weeks before the penetration was detected. But first, "data was successfully exfiltrated" on July 26, when the attackers found a way to obtain high-level access privileges, the inspector general reported. Those permissions allowed the hackers to "run more than 600 queries against the system in a role that provided unlimited access."
Finally, on August 8, the breach was identified and the system was disconnected.
Assessments during the past four years of the security of the infiltrated management system and other Energy information technology assets show a pattern of vulnerabilities, according to a review of past government audits by Nextgov.
The report underscores this pattern of neglect: "Over the past several years, MIS has been involved in no less than three cyber security breaches." Personal information was not stolen during the other two events.
Investigators did not uncover a root cause of the breach, but did identify management misunderstandings and certain technical lapses as contributing factors. Social Security numbers stored were not encrypted, or scrambled to render compromised data illegible to hackers. And, even though the system has been operating since 1994, "there was apparent confusion as to which organization was responsible for ensuring that proper security was maintained," such as bug fixes, according to the report.
The review found that Energy did not work fast enough to notify affected individuals, possibly because the CIO was wearing two hats at the time. The chief also serves as the senior agency official for privacy, and "employees within the OCIO were forced to balance the need to respond to and recover from the incident with the need to analyze forensic data so affected individuals could be identified,” the investigation stated.
Energy officials on Friday said efforts are underway to prosecute those responsible for the penetration and install better system controls.
“The department continues to work with its federal partners, including the Department of Homeland Security, to put in place new protections to further strengthen our cyber defenses and restrict unauthorized disclosure,” Kumar said.
U.S. authorities in October charged an individual with conspiracy to access and damage networks at multiple federal agencies, including the Energy system, department officials said. The Energy IG is investigating the matter with the FBI.
By the end of January 2014, the department plans to remove all unnecessary information and Social Security numbers from computer systems and add encryption technology.