recommended reading

Energy IG Reports Dating to 2009 Foreshadowed Hack That Hit 104,000

Lisa S./

Before computer attackers in July breached Energy Department personnel systems, federal inspectors for years had been warning officials about unencrypted sensitive data and urging them to fix application vulnerabilities -- failings that ultimately would lead to the hack of sensitive information on 104,179 individuals, according to a Nextgov review of annual cybersecurity evaluations.  

An inspector general special report  issued on Friday determined that the inability to fix known entry points for hackers made possible a July intrusion into the DOE Employee Data Repository, or DOEInfo, the main Rolodex of records on employees, relatives and contractors. The outsiders stole names, Social Security numbers, banking information, and password questions and answers, among other personal data.

"Critical security vulnerabilities in certain software supporting the [management information system] application had not been patched or otherwise hardened for a number of years," the report stated, referring to the system that connects to DOEInfo. "No efforts had been undertaken to eliminate the unnecessary use of Social Security numbers in the existing DOEInfo database tables even though the requirement to do so was over 5 years old."

Among the potential doorways for hackers cited in an August 2009 IG report is that sensitive information on laptops and handhelds, as well as data sent by email, was not always encrypted. Energy officials also permit unencrypted files to be transmitted to offsite storage facilities.

A similar IG evaluation from October 2011 revealed network weaknesses had spiked 60 percent between fiscal 2010 and fiscal 2011. The security gaps documented included lax access controls and software defects.

Inspectors examining this summer's assault said they could not identify a single fatal flaw, but found several weaknesses that assisted the hackers, many of which, old IG reports show, were flagged previously.

Ultimately, the attackers crept in by using “exploits commonly available on the Internet to gain unfettered access to the relevant systems and exfiltrate large amounts of data -- information that could be used to damage the financial and personal interests of many individuals," Friday's report states.

Exploits are hacking tools that take advantage of vulnerabilities -- like those found in the earlier IG reports -- to break into systems. 

Among the factors that aided and abetted the hackers this year: the systems struck were directly accessible through the Web without adequate safeguards and contained vulnerabilities that weren't patched. In addition, the systems stored Social Security numbers in plain text. 

Officials had been "permitting systems to operate even though they were known to have critical and/or high risk security vulnerabilities," Friday's report states. “The department had not taken appropriate action to remediate known vulnerabilities on its systems either through patching, system enhancements or upgrades."

According to the 2011 evaluation, tests at 25 facilities, including headquarters, turned up 32 new vulnerabilities plus an additional 24 left unresolved from the prior year.

One year later, a November 2012 inspector general audit found 29 Web applications, including human resource software, did not undergo “validation” to regularly check that program changes were authorized. 

On Friday, Energy officials said work is underway to address the inspector general's latest discoveries. The department is examining all online systems and applications, as well as instituting new protections to restrict unauthorized disclosure. All superfluous personal information and Social Security numbers will be expunged from systems by the end of January 2014, officials said. And encryption tools will be installed to protect remaining sensitive information. 

(Image via Lisa S./

Threatwatch Alert

Network intrusion / Stolen credentials

85M User Accounts Compromised from Video-sharing Site Dailymotion

See threatwatch report


Close [ x ] More from Nextgov

Thank you for subscribing to newsletters from
We think these reports might interest you:

  • Data-Centric Security vs. Database-Level Security

    Database-level encryption had its origins in the 1990s and early 2000s in response to very basic risks which largely revolved around the theft of servers, backup tapes and other physical-layer assets. As noted in Verizon’s 2014, Data Breach Investigations Report (DBIR)1, threats today are far more advanced and dangerous.

  • Featured Content from RSA Conference: Dissed by NIST

    Learn more about the latest draft of the U.S. National Institute of Standards and Technology guidance document on authentication and lifecycle management.

  • PIV- I And Multifactor Authentication: The Best Defense for Federal Government Contractors

    This white paper explores NIST SP 800-171 and why compliance is critical to federal government contractors, especially those that work with the Department of Defense, as well as how leveraging PIV-I credentialing with multifactor authentication can be used as a defense against cyberattacks

  • Toward A More Innovative Government

    This research study aims to understand how state and local leaders regard their agency’s innovation efforts and what they are doing to overcome the challenges they face in successfully implementing these efforts.

  • From Volume to Value: UK’s NHS Digital Provides U.S. Healthcare Agencies A Roadmap For Value-Based Payment Models

    The U.S. healthcare industry is rapidly moving away from traditional fee-for-service models and towards value-based purchasing that reimburses physicians for quality of care in place of frequency of care.

  • GBC Flash Poll: Is Your Agency Safe?

    Federal leaders weigh in on the state of information security


When you download a report, your information may be shared with the underwriters of that document.