Nearly 3,000 critical and high-risk vulnerabilities were identified in three U.S. Department of the Interior (DOI) bureaus.
The Department's Inspector General wrote in a report on the vulnerabilities that they could allow a remote attacker to take control of publicly accessible computers or render them unavailable.
“More troubling,” the report states, is that a remote attacker could use “a compromised computer to attack the Department's internal or non-public computer networks.”
Of particular note, DOI's system hosted the 4.2 million federal personnel files stolen in the first Office of Personnel Management (OPM) data breach.
The OPM perpetrators are said to have used a contractor's credentials to get into OPM's system, which they then used to move over to the DOI network hosting the personnel data.
The DOI failed to monitor its publicly available systems for vulnerabilities, the report states, and didn't isolate those systems from its internal computer networks.