A number of current and past employees at the U.S. Department of Energy (DOE) are being notified in letters that an unauthorized party gained access to their personally identifiable information (PII) on the agency's network.
Roughly 14,000 former and present workers may have been affected, according to the email notification, and although it does not reveal what type of information was involved in the apparent heist, PII typically means names, Social Security numbers, dates of birth, medical records or anything that might be linkable to an individual.
No classified data was targeted or compromised, according to the letter, which was obtained by The Wall Street Journal.
The DOE's cyber security office, as well as the Office of Health, Safety and Security (within the DOE) and the Office of Inspector General (part of the U.S. Department of Health & Human Services) are working collaboratively with federal law enforcement to determine exactly how the incident occurred, but it was said to have taken place at the end of July.
The DOE will develop a “remediation plan” as soon as the investigation concludes, but for now officials are spending the remainder of August alerting those who may have had information compromised. Affected employees will receive one free year of credit monitoring services.
Cameron Camp, a security researcher with IT security company ESET, told SCMagazine.com on Friday that he believes the attack was deliberate. While he could not say for sure since the DOE has not revealed the method of the intrusion, he said that the limited details mean "effort was involved" and that "the DOE has to stay on its guard."
Organizations must understand methods used to build defenses against these kinds of attacks, said Camp. He made general suggestions, including setting specific hours when certain data can travel outside of a firewall, and perhaps even hiring someone to monitor systems, to ensure network access can be cut off manually if need be.
Other experts point to the weaknesses in defensive strategies. “Sometimes, the attackers log right in using employees access credentials and then proceed to access information on the network without using any custom malware," said Tom Cross, director of security at Lancope, a network security firm, in a prepared statement on Friday. "A defensive strategy that focuses exclusively on detecting exploits and malware cannot detect this sort of unauthorized activity.”This is the second time the DOE has reported a data breach this year. In February, intruders accessed sensitive information, and the agency announced later that month that it spent $20 million to beef up its security.