Skip to main content

How hackers made minced meat of Department of Energy networks

posted onDecember 17, 2013
by l33tdawg

A Department of Energy network breach earlier this year that allowed hackers to download sensitive personal information for 104,000 people was the result of a decade-old patchwork of systems, some that hadn't installed critical security updates in years, according to a federal watchdog.

July's successful hack on the department's Employee Data Repository database was at least the third one to occur since 2011, DOE Inspector General Gregory H. Friedman wrote in a recently published review of the breach. The hack resulted in the exfiltration of more than 104,000 individuals' personally identifiable information (PII), including their social security numbers, bank account data, dates and places of birth, user names, and answers to security questions. The department expects to incur costs of $3.7 million setting up credit monitoring and in lost productivity. That figure doesn't include the costs of fixing the vulnerable systems.

The inspector general review recited a litany of failures that allowed hackers to penetrate system defenses. Chief among them is the fact that none of the 354 database tables containing social security numbers were encrypted. Using strong cryptography to protect such "at rest" PII has long been considered a best practice in government and corporate data security. The department's management information system (MIS) that allowed access to the DOEInfo databases also failed to require common security enhancements, such as two-factor authentication or a department-issued virtual private network.

Source

Tags

Hackers Security DOE

You May Also Like

Recent News

Tuesday, November 19th

Friday, November 8th

Friday, November 1st

Tuesday, July 9th

Wednesday, July 3rd

Friday, June 28th

Thursday, June 27th

Thursday, June 13th

Wednesday, June 12th

Tuesday, June 11th