IG: Personal Information Stolen from 104,179 after Energy Department Cyber Attack

Hackers breached system with ‘relative ease’

Wikimedia Commons
December 13, 2013

Hackers were able to obtain personal information from 104,179 Department of Energy employees and contractors during an attack this summer, according to the Inspector General.

An attack in July 2013, one of at least three cyber security breaches at the department, allowed hackers to access individuals’ Social Security and bank account numbers with "relative ease."

The Energy department was aware of "early warning signs" that personally identifiable information (PII) of its employees was at risk, according to the special report of the incident released last Friday.

"The attackers in this case were able to use exploits commonly available on the internet to gain unfettered access to the relevant systems and exfiltrate large amounts of data—information that could be used to damage the financial and personal interests of many individuals," the IG said.

The attack cost the department at least $3.7 million, including $1.6 million in credit monitoring and labor costs. Workers whose personal information was stolen also received administrative leave to deal with the situation, costing approximately $2.1 million in lost productivity.

The Energy Department also underreported the significance of the breach, saying only 53,000 employees were affected prior to the IG’s investigation. As a result, many employees were not informed that their personal information was stolen. The department is still in the process of notifying all of its employees.

"We also found that the extent of PII stolen was much more extensive than that originally reported by the Department," the IG said.

"Breached information exceeded just names, dates of birth and Social Security numbers as initially reported by the Department," they said. "In particular, we noted through investigation or discussions with officials that select bank account numbers, places of birth, education, security questions and answers, and disabilities were also included in the loss of information."

The report was released as concerns grow over the lack of security within the Obamacare website, which experts say lacks fundamental safeguards and leaves Americans’ personal information at risk.

The IG placed blame for the breach on a variety of factors, including the "frequent use of complete Social Security numbers as identifiers," a lack of adequate security controls, and ineffective communication between managers.

"While we did not identify a single point of failure that led to the breach," the IG said, "the combination of the technical and managerial problems we observed set the stage for individuals with malicious intent to access the system with what appeared to be relative ease."

The IG said the attack was the most serious to hit the department, after past breaches in May 2011, and January 2012 did not appear to result in the loss of personal information.

The Washington Free Beacon reported on a separate major cyber attack in January, when the likely suspects were Chinese hackers. The department is known to be a major target of China for both secrets and technology.

The IG report does not indicate the source of the hackers who breached the site in July.