Department of Energy data breach affects thousands

Share this article:
Some 14,000 current and past employees that personally identifiable information was accessed.
Some 14,000 current and past employees that personally identifiable information was accessed.

A number of current and past employees at the U.S. Department of Energy (DOE) are being notified in letters that an unauthorized party gained access to their personally identifiable information (PII) on the agency's network.

Roughly 14,000 former and present workers may have been affected, according to the email notification, and although it does not reveal what type of information was involved in the apparent heist, PII typically means names, Social Security numbers, dates of birth, medical records or anything that might be linkable to an individual.

No classified data was targeted or compromised, according to the letter, which was obtained by The Wall Street Journal.

The DOE's cyber security office, as well as the Office of Health, Safety and Security (within the DOE) and the Office of Inspector General (part of the U.S. Department of Health & Human Services) are working collaboratively with federal law enforcement to determine exactly how the incident occurred, but it was said to have taken place at the end of July.

The DOE will develop a “remediation plan” as soon as the investigation concludes, but for now officials are spending the remainder of August alerting those who may have had information compromised. Affected employees will receive one free year of credit monitoring services.

Cameron Camp, a security researcher with IT security company ESET, told SCMagazine.com on Friday that he believes the attack was deliberate. While he could not say for sure since the DOE has not revealed the method of the intrusion, he said that the limited details mean "effort was involved" and that "the DOE has to stay on its guard."

Organizations must understand methods used to build defenses against these kinds of attacks, said Camp. He made general suggestions, including setting specific hours when certain data can travel outside of a firewall, and perhaps even hiring someone to monitor systems, to ensure network access can be cut off manually if need be.

Other experts point to the weaknesses in defensive strategies. “Sometimes, the attackers log right in using employees access credentials and then proceed to access information on the network without using any custom malware," said Tom Cross, director of security at Lancope, a network security firm, in a prepared statement on Friday. "A defensive strategy that focuses exclusively on detecting exploits and malware cannot detect this sort of unauthorized activity.”

This is the second time the DOE has reported a data breach this year. In February, intruders accessed sensitive information, and the agency announced later that month that it spent $20 million to beef up its security.
Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

More in News

CryptoWall surpasses CryptoLocker in infection rates

CryptoWall surpasses CryptoLocker in infection rates

A threat analysis from Dell SecureWorks CTU says that CryptoWall has picked up where its famous sibling left off.

Professor says Google search, not hacking, yielded medical info

Professor says Google search, not hacking, yielded medical ...

A professor of ethical hacking at City College San Francisco came forward to clarify that he did not demonstrate hacking a medical center's server in a class.

Syrian Malware Team makes use of enhanced BlackWorm RAT

Syrian Malware Team makes use of enhanced BlackWorm ...

FireEye analyzed the hacking group's use of the malware, dubbed the "Dark Edition" of BlackWorm.