recommended reading

Data Stolen from 104,000 Energy Employees Was More Sensitive than First Thought

Kittichai/Shutterstock.com

Hackers that breached an Energy Department personnel database in July got away with more sensitive data than first disclosed by the government, including some banking information and password security questions of the 104,179 individuals affected, according to internal investigators.

A special report released by the Energy Inspector General on Friday details the postmortem of an intrusion into the DOE Employee Data Repository, or DOEInfo, the main Rolodex of records on current and former department employees, dependents and contractors. 

“Breached information exceeded just names, dates of birth and Social Security numbers as initially reported by the department,” Energy IG Gregory H. Friedman wrote in the Dec. 6 audit. “We noted through investigation or discussions with officials that select bank account numbers, places of birth, education, security questions and answers, and disabilities were also included in the loss of information.”

At the time of the probe, which concluded earlier this month, Energy officials were still in the process of notifying affected employees, contractors and dependents. On Friday, department officials said they had contacted more than 99 percent of the people.

“The Energy Department takes the security of its databases and cyber systems very seriously and appreciates the Inspector General’s review as it continues to take aggressive steps to minimize the impact of the July attack and prevent future cyber incursions,”  Energy spokeswoman Niketa Kumar said in a statement.

A timeline of events outlined in the report reveals a developer first noticed odd activity in system logs more than three weeks before the hackers got in, raising questions about whether the situation could have been contained earlier.  

After the developer detected the abnormality on July 2, the Office of the Chief Information Officer was notified. The division determined "someone was repeatedly attempting to access the server running" the management information system that connects to DOEInfo, according to the investigation.

On July 24, without anyone noticing, the "server was breached," according to a forensic analysis conducted following the incident.

It would be another two weeks before the penetration was detected. But first, "data was successfully exfiltrated" on July 26, when the attackers found a way to obtain high-level access privileges, the inspector general reported. Those permissions allowed the hackers to "run more than 600 queries against the system in a role that provided unlimited access."

Finally, on August 8, the breach was identified and the system was disconnected. 

Assessments during the past four years of the security of the infiltrated management system and other Energy information technology assets show a pattern of vulnerabilities, according to a review of past government audits by Nextgov.

The report underscores this pattern of neglect: "Over the past several years, MIS has been involved in no less than three cyber security breaches." Personal information was not stolen during the other two events. 

Investigators did not uncover a root cause of the breach, but did identify management misunderstandings and certain technical lapses as contributing factors. Social Security numbers stored were not encrypted, or scrambled to render compromised data illegible to hackers. And, even though the system has been operating since 1994, "there was apparent confusion as to which organization was responsible for ensuring that proper security was maintained," such as bug fixes, according to the report. 

The review found that Energy did not work fast enough to notify affected individuals, possibly because the CIO was wearing two hats at the time. The chief also serves as the senior agency official for privacy, and "employees within the OCIO were forced to balance the need to respond to and recover from the incident with the need to analyze forensic data so affected individuals could be identified,” the investigation stated.

Energy officials on Friday said efforts are underway to prosecute those responsible for the penetration and install better system controls.

“The department continues to work with its federal partners, including the Department of Homeland Security, to put in place new protections to further strengthen our cyber defenses and restrict unauthorized disclosure,” Kumar said.

U.S. authorities in October charged an individual with conspiracy to access and damage networks at multiple federal agencies, including the Energy system, department officials said.  The Energy IG is investigating the matter with the FBI.

By the end of January 2014, the department plans to remove all unnecessary information and Social Security numbers from computer systems and add encryption technology.

(Image via Kittichai/Shutterstock.com)

Threatwatch Alert

Credential-stealing malware / User accounts compromised / Software vulnerability

Android Malware Infects More than 1M Phones, Adds 13,000 Devices a Day

See threatwatch report

JOIN THE DISCUSSION

Close [ x ] More from Nextgov
 
 

Thank you for subscribing to newsletters from Nextgov.com.
We think these reports might interest you:

  • Featured Content from RSA Conference: Dissed by NIST

    Learn more about the latest draft of the U.S. National Institute of Standards and Technology guidance document on authentication and lifecycle management.

    Download
  • PIV- I And Multifactor Authentication: The Best Defense for Federal Government Contractors

    This white paper explores NIST SP 800-171 and why compliance is critical to federal government contractors, especially those that work with the Department of Defense, as well as how leveraging PIV-I credentialing with multifactor authentication can be used as a defense against cyberattacks

    Download
  • Toward A More Innovative Government

    This research study aims to understand how state and local leaders regard their agency’s innovation efforts and what they are doing to overcome the challenges they face in successfully implementing these efforts.

    Download
  • From Volume to Value: UK’s NHS Digital Provides U.S. Healthcare Agencies A Roadmap For Value-Based Payment Models

    The U.S. healthcare industry is rapidly moving away from traditional fee-for-service models and towards value-based purchasing that reimburses physicians for quality of care in place of frequency of care.

    Download
  • GBC Flash Poll: Is Your Agency Safe?

    Federal leaders weigh in on the state of information security

    Download
  • Data-Centric Security vs. Database-Level Security

    Database-level encryption had its origins in the 1990s and early 2000s in response to very basic risks which largely revolved around the theft of servers, backup tapes and other physical-layer assets. As noted in Verizon’s 2014, Data Breach Investigations Report (DBIR)1, threats today are far more advanced and dangerous.

    Download

When you download a report, your information may be shared with the underwriters of that document.