A special report commissioned by the Department of Energy in response to a breach of the DOE Employee Data Repository (DOEInfo) database in July acknowledges that the attack exposed the personally identifiable information (PII) of more than 104,000 individuals, including data on current and former employees, dependents and contractors.
“Among other data elements, information stored in DOEInfo included name, address, Social Security number, date and place of birth, and banking information,” the report states.
“In spite of a number of early warning signs that certain personnel-related information systems were at risk, the Department had not taken action necessary to protect the PII of a large number of its past and present employees, their dependents and many contractors,” the report continued.
Technical and management issues that contributed to the breach include:
- The use of full Social Security numbers as identifiers, and a failure to encrypt PII
Permitting direct internet access to a highly sensitive system without adequate security controls
Lack of assurance that required security planning and testing activities were conducted
Permitting systems to operate even though they were known to have critical and/or high-risk security vulnerabilities
Competing priorities between mission-related work and cyber security that resulted in continued operation of systems even though they were known to have high-risk vulnerabilities
- Unclear lines of responsibility between and within program and staff offices and a lack of awareness by responsible officials regarding complete operating environment for the vulnerable database
Ineffective communications and coordination among responsible officials
“While we did not identify a single point of failure that led to the MIS/DOEInfo breach, the combination of the technical and managerial problems we observed set the stage for individuals with malicious intent to access the system with what appeared to be relative ease,” the report continued.
Read More Here… (PDF)