Energy Department Breach Years In Making, Investigators Say - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Government // Cybersecurity

Energy Department Breach Years In Making, Investigators Say

July data breach that affected up to 150,000 employees traces back to a string of managerial and technical failures, investigators conclude.

13 CIOs Share: My Big Mistakes
13 CIOs Share: My Big Mistakes
(click image for larger view)

The July 2013 Department of Energy breach happened because of an ongoing number of managerial and technological failures, some of them stretching back years.

That's the top-level takeaway from a 28-page report, released Wednesday, by Gregory H. Friedman, the inspector general (IG) of the Department of Energy. The IG's report is a result of an investigation that was launched, in part at the request of the DOE's CIO, after an attacker hacked into the DOE Employee Data Repository (aka DOEInfo), which is accessed via a gateway provided by the agency's management information system (MIS).

The list of failures cataloged by the report is extensive, starting with a "lack of urgency" over information security matters. "While we did not identify a single point of failure that led to the MIS/DOEInfo breach, the combination of the technical and managerial problems we observed set the stage for individuals with malicious intent to access the system with what appeared to be relative ease," said Friedman. The attacker exploited a DOEInfo vulnerability for which attack code was publicly available on the Internet.

[Outdated IT systems are too risky to leave in place. Are Legacy Systems Keeping You Prisoner?]

The data breach may also be more extensive than realized. According to previous DOE disclosures, attackers stole personally identifiable information (PII) for 104,000 people. But according to Friedman, the number may be closer to 150,000, based on a number of additional nine-digit records -- which may be social security numbers -- that the IG's office found in digital forensic data. DOE officials have responded to that finding by saying that they believe at least some of the discrepancy may be due to "false positives."

Furthermore, the report revealed that stolen information didn't only comprise names, dates of birth, social security numbers, and some bank account numbers, as the DOE previously disclosed. Information pertaining to places of birth, education, security questions -- and answers -- and disabilities was also exposed.

The hack was the third MIS breach to occur within three years. The breach occurred after an attacker gained access to DOEInfo, which was an outdated Adobe ColdFusion system that's been rebuilt since the attack. DOEInfo first launched in 1994, and more than 30 different systems were connected to the database at some point in time. But according to the IG's report, DOE management failed to keep abreast of how the database was being used, or seemingly the agency's enterprise architecture in general. That's because at least two disused systems were still connected to DOEInfo. During the July 2013 breach, the attacker accessed one of those systems, although it reportedly didn't store sensitive data.

Other problems that contributed to the breach involved the agency failing to encrypt stored PII and using social security numbers as unique identifiers, in violation of federal guidelines. Friedman's report also slammed the agency for "permitting direct Internet connections to a highly sensitive system without adequate security controls," noting that the security controls in place for checking email were stronger than the controls in place to secure access to DOEInfo.

Department of Energy headquarters in Washington, DC. (Image by cliff1066.)
Department of Energy headquarters in Washington, DC. (Image by cliff1066.)

The report also found that the DOE failed to patch, improve, or upgrade systems "even though they were known to have critical and/or high-risk security vulnerabilities." Likewise, the agency appeared to lack plans for replacing systems that had reached the end of their life. "Although core support for the version of the compromised application upon which MIS was built ended in July 2012, the department did not purchase updated software until March 2013 -- eight months after support for the outdated application ended," Friedman said.

On the subject of information security responsibility, confusion reigned, with the Office of the Chief Information Officer (OCIO) and the Office of the Chief Financial Officer (OCFO) -- which maintained DOEInfo -- each believing that the other department was in charge of patching system vulnerabilities. Managers interviewed by the IG's office acknowledged that even though DOEInfo sported known, high-risk vulnerabilities in systems, "they lacked the authority to impose restrictions on system operation or take other corrective measures when known security vulnerabilities were not addressed," Friedman said. "We could not determine with certainty whether the lack of authority, in all instances, was real or only perceived."

Regardless, senior managers failed to take charge of security matters. "OCIO officials told us that various system owners they supported prohibited them from making security updates to applications in a timely manner because doing so would make it harder for employees to do their work," said Friedman. "Conversely, program officials indicated that they directed security-related issues to the OCIO and never received responses."

An application developer had reported the DOEInfo system vulnerabilities to the CIO's office. But they "were not fully investigated," Friedman said, leading him to "question the thoroughness of department's analysis of the reported anomalies."

To date, the costs of the DOEInfo breach have included $1.6 million for credit monitoring and an estimated $2.1 million in lost productivity, owing to the agency granting affected personnel up to four hours of paid leave. According to DOE insiders, as well as the IG's report, the breach -- and the perception that related data breach notifications weren't released in a timely manner -- also took a bite out of employee morale.

The IG's report makes a number of cybersecurity program and control environment suggestions to prevent a future breach, aimed at improving communications and coordination and ensuring that all PII gets stored and used securely. Related changes have begun, including eliminating outdated information from being stored and encrypting all social security numbers. In addition, the CIO's office is implementing "improvements to the real-time protection and continuous monitoring of DOEInfo and the underlying infrastructure," Friedman said.

Mathew Schwartz is a freelance writer, editor, and photographer, as well the InformationWeek information security reporter.

The use of cloud technology is booming, often offering the only way to meet customers', employees' and partners' rapidly rising requirements. But IT pros are rightly nervous about a lack of visibility into the security of data in the cloud. In this Dark Reading report, Integrating Vulnerability Management Into The Application Development Process, we put the risk in context and offer recommendations for products and practices that can increase insight -- and enterprise security. (Free registration required.)

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Author
12/13/2013 | 6:59:28 PM
Inspectors General
This report is a certainly a cautionary tale about what happens when managers ignore advice and/or choose to underinvest.

But this report is also remarkable for another reason.  It's something that you'll rarely see in the private sector.  In fact, government agencies deserve more credit than they get for 1) maintaining inspectors on staff to investigate operating problems; and 2) for releasing the messy findings when they occur, as DOE's inspector general has -- and other agency inspectors general do on a regular basis.

It's not a lot of consolation for those whose private information was compromised.  But take a moment to ponder: You don't see a report like this explaining why an Amazon's regional cloud center went down or when a credit card processing company gets hacked.

Now lets hope DOE and other federal agencies learn from their mistakes.

Marilyn Cohodas
Marilyn Cohodas,
User Rank: Author
12/13/2013 | 3:32:47 PM
Re: Breaches And Communication
I wonder if the private sector is any better than this. I kinda doubt it. Anyone agree?
User Rank: Author
12/13/2013 | 2:22:26 PM
Breaches And Communication
"On the subject of information security responsibility, confusion reigned, with the Office of the Chief Information Officer (OCIO) and the Office of the Chief Financial Officer (OCFO) -- which maintained DOEInfo -- each believing that the other department was in charge of patching system vulnerabilities." That makes me squirm just thinking about it. But IT pros see this time and again -- complete failure to communicate.
InformationWeek Is Getting an Upgrade!

Find out more about our plans to improve the look, functionality, and performance of the InformationWeek site in the coming months.

Becoming a Self-Taught Cybersecurity Pro
Jessica Davis, Senior Editor, Enterprise Apps,  6/9/2021
Ancestry's DevOps Strategy to Control Its CI/CD Pipeline
Joao-Pierre S. Ruth, Senior Writer,  6/4/2021
IT Leadership: 10 Ways to Unleash Enterprise Innovation
Lisa Morgan, Freelance Writer,  6/8/2021
White Papers
Register for InformationWeek Newsletters
Current Issue
Planning Your Digital Transformation Roadmap
Download this report to learn about the latest technologies and best practices or ensuring a successful transition from outdated business transformation tactics.
Flash Poll