For years, the department failed to encrypt sensitive data and fix application vulnerabilities that created an environment ripe for intrusion.
Before computer attackers in July breached Energy Department personnel systems, federal inspectors for years had been warning officials about unencrypted sensitive data and urging them to fix application vulnerabilities -- failings that ultimately would lead to the hack of sensitive information on 104,179 individuals, according to a Nextgov review of annual cybersecurity evaluations.
An inspector general special report issued on Friday determined that the inability to fix known entry points for hackers made possible a July intrusion into the DOE Employee Data Repository, or DOEInfo, the main Rolodex of records on employees, relatives and contractors. The outsiders stole names, Social Security numbers, banking information, and password questions and answers, among other personal data.
"Critical security vulnerabilities in certain software supporting the [management information system] application had not been patched or otherwise hardened for a number of years," the report stated, referring to the system that connects to DOEInfo. "No efforts had been undertaken to eliminate the unnecessary use of Social Security numbers in the existing DOEInfo database tables even though the requirement to do so was over 5 years old."
Among the potential doorways for hackers cited in an August 2009 IG report is that sensitive information on laptops and handhelds, as well as data sent by email, was not always encrypted. Energy officials also permit unencrypted files to be transmitted to offsite storage facilities.
A similar IG evaluation from October 2011 revealed network weaknesses had spiked 60 percent between fiscal 2010 and fiscal 2011. The security gaps documented included lax access controls and software defects.
Inspectors examining this summer's assault said they could not identify a single fatal flaw, but found several weaknesses that assisted the hackers, many of which, old IG reports show, were flagged previously.
Ultimately, the attackers crept in by using “exploits commonly available on the Internet to gain unfettered access to the relevant systems and exfiltrate large amounts of data -- information that could be used to damage the financial and personal interests of many individuals," Friday's report states.
Exploits are hacking tools that take advantage of vulnerabilities -- like those found in the earlier IG reports -- to break into systems.
Among the factors that aided and abetted the hackers this year: the systems struck were directly accessible through the Web without adequate safeguards and contained vulnerabilities that weren't patched. In addition, the systems stored Social Security numbers in plain text.
Officials had been "permitting systems to operate even though they were known to have critical and/or high risk security vulnerabilities," Friday's report states. “The department had not taken appropriate action to remediate known vulnerabilities on its systems either through patching, system enhancements or upgrades."
According to the 2011 evaluation, tests at 25 facilities, including headquarters, turned up 32 new vulnerabilities plus an additional 24 left unresolved from the prior year.
One year later, a November 2012 inspector general audit found 29 Web applications, including human resource software, did not undergo “validation” to regularly check that program changes were authorized.
On Friday, Energy officials said work is underway to address the inspector general's latest discoveries. The department is examining all online systems and applications, as well as instituting new protections to restrict unauthorized disclosure. All superfluous personal information and Social Security numbers will be expunged from systems by the end of January 2014, officials said. And encryption tools will be installed to protect remaining sensitive information.