Energy Dept. Hack Details Emerge

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.informationweek.com/security/attacks/energy-dept-hack-details-emerge/240160685

The Department of Energy has disclosed new information concerning a
recent cyberattack that compromised employees' personally identifying
information (PII).

According to an email sent to all DOE employees on Aug. 29,
information on 2,532 current employees, 3,172 former employees and
seven employees on leave was stolen in the breach, which occurred in
July. "The sensitive PII data compromised was limited to names, dates
of birth and social security numbers," the internal memo stated. The
stored information did not include banking, credit card or clearance
information, according to the memo, which said that no information
related to agency contractors had been compromised.

A spokesman for the DOE wasn't immediately available to confirm that
it sent the memo, but an agency source confirmed its authenticity.
Agency officials have so far declined to respond to all requests for
comment on the breach.

The data breach was first disclosed to employees in an Aug. 14 email,
which said that no confidential DOE information had been stolen, and
that data on 14,000 employees was compromised. The agency promised to
notify all affected employees individually by the end of August.

The Aug. 29 memo revealed that the system hacked by attackers is
called "DOEInfo." The system is owned and maintained by the agency's
Office of the Chief Financial Officer.

According to agency sources, who spoke on condition of anonymity, the
hacked application was Internet-accessible and written in ColdFusion,
a rapid Web application development platform -- developed by Allaire,
then purchased by Adobe in 2005 -- that was originally designed to
allow HTML pages to be connected to databases. But the version of
ColdFusion being used for DOEInfo remained outdated and vulnerable to
known exploits.

According to DOE sources, the problem of insecure systems that contain
PII is widely known at the agency but difficult to change since more
than 1,000 systems tap DOEInfo, which maintains a single user ID for
each employee, tied to employee access permissions. "Our logins still
use our initials and parts of our SSN (duh), who would think that was
good enough in the first place?" one source said in an email message.
"Complaining doesn't help. The answer is always, it costs too much to
redo our PII."

The breach notification was also published on BPA Connection, the
DOE's intranet, where some employees complained about a lack of
timely, forthright communication about the breach. Some questioned
whether agency officials are covering up the full extent of the
breach.

The July breach marked the second time this year that DOE employee
information was compromised in a cyberattack, following a February
intrusion.

The memo distributed on Aug. 29 stated "The Office of Cyber Security
is working with organizations at DOE to obtain verifiable information
and direction," presumably referring to the agency's participation in
the breach investigation, which also involves federal law enforcement
agencies. "As information becomes available, we will inform employees
through e-mail and updates to the BPA Connection article," it
continued, referring to a copy of the Thursday data breach
notification that was also posted to the agency's intranet.

To date, the DOE has offered no identity-theft monitoring services to
affected employees. Instead, the agency referred them to a free
Federal Trade Commission pamphlet called "Taking Charge: What To Do If
Your Identity Is Stolen."
_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security offers security intelligence, risk management services and customized security solutions. The 
YourCISO portal gives decision makers access to tools for evaluating their security posture and prioritizing risk 
mitigation strategies. Cyber Risk Analytics offers actionable threat information and breach analysis.