Attacks/Breaches
9/3/2013
11:20 AM
50%
50%

Energy Department Updates Breach Count, Says 53,000 Affected

DOE offers employees a free year of identity theft monitoring services after hackers steal personal info, including social security numbers.

9 Android Apps To Improve Security, Privacy
9 Android Apps To Improve Security, Privacy
(click image for larger view)
The Department of Energy (DOE) has confirmed reports that it suffered a data breach in July that lead to the theft of employees' personally identifying information (PII).

"The department has now identified approximately 53,000 past and current federal employees, including dependents and contractors, whose name, social security number, and date of birth were compromised by this cyber incident," read a July 2013 Cyber Incident breach notification posted Friday to the DOE's public-facing website.

The July breach involved an outdated, publicly accessible ColdFusion system known as DOEInfo, which sources said hadn't been patched against known vulnerabilities. DOEInfo is an employee database owned and maintained by the agency's Office of the Chief Financial Officer.

"Based on the findings of the department's ongoing investigation into this incident, we do believe PII theft might have been the primary purpose of the attack," according to the notification. "Accordingly, the Department encourages each affected individual to be extra vigilant and to carefully monitor bank statements, credit card statements, emails and phone calls relating to recent financial transactions."

[ How dependable are iris scans? Read Iris Scans: Security Technology In Action. ]

In a phone interview Tuesday, an agency spokeswoman said that all affected employees have been offered a free year of identity theft monitoring services.

As is standard practice, the DOE breach is being investigated by the agency's Cybersecurity office, the Office of Health, Safety and Security, and the Inspector General's office, as well as federal law enforcement agencies. "Once the full nature and extent of this incident is known, the Department will implement a full remediation plan," said the notification.

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
MarciaNWC
50%
50%
MarciaNWC,
User Rank: Apprentice
9/3/2013 | 9:59:51 PM
re: Energy Department Updates Breach Count, Says 53,000 Affected
This doesn't sound very comforting: "If you do not receive a notification letter by
September 15, 2013, you should assume it is unlikely your PII was
affected," according to the notification. "If DOE later determines your
PII was affected you will be notified, regardless of the date of
discovery." All around poor breach handling.
kcfredriksson
50%
50%
kcfredriksson,
User Rank: Apprentice
9/3/2013 | 6:35:34 PM
re: Energy Department Updates Breach Count, Says 53,000 Affected
53,000 individuals. $15/month for 12 months credit monitoring. That's $9.5 million (probably a bit less if they've negotiated a bulk discount), plus administrative costs. They don't have money to patch a known software vulnerability, but they have money to pay for credit monitoring? Oh, that's right. The taxpayers -- you and me -- will pay for this. Incompetence bordering on criminal. Do you trust these people to protect our nation's nuclear weapons designs? Oh wait... they've proven unable to do that as well.
Guest
50%
50%
Guest,
User Rank: Apprentice
9/3/2013 | 6:14:37 PM
re: Energy Department Updates Breach Count, Says 53,000 Affected
53,000 affected individuals, $15/month, 12 months. That's over $9.5M in credit monitoring at list prices (probably less since they should get a little bit of a discount from what I'd pay as an individual), plus the cost of administering it. They didn't have money to patch known vulnerable software, but they have it to pay these fees (and any fines that individual states will pile on as well)? Oh, that's right. We taxpayers will pay that, not the
WKash
50%
50%
WKash,
User Rank: Apprentice
9/3/2013 | 5:40:09 PM
re: Energy Department Updates Breach Count, Says 53,000 Affected
DOE's lack of transparency and double speak about this breach tends to reinforce the bad rap govt. gets on events like this.

As the DOE's answer to its own rhetorical question (above) suggests, "Department of Energy networks and employee information hosted on these networks are protected in accordance with federal laws and Department of Energy policies"-- except when they get hacked.

Hacks happen. But it's not very reassuring for DOE or federal employees in general to be told "We (DOE) are working with interagency partners on actions that can be taken against those responsible and to reduce the likelihood of another
successful attack."
DAVIDINIL
50%
50%
DAVIDINIL,
User Rank: Apprentice
9/3/2013 | 4:52:09 PM
re: Energy Department Updates Breach Count, Says 53,000 Affected
A year's worth of free credit monitoring is a steaming pile of dung. The DOE's incompetence would now require me to go thru the hassle of enrolling for the monitoring, monitioring it, having to go thru the hassle of getting reimbursed, then remembering to cancel it at the end of the year. Then I would be barraged by sales emails for as long as I owned the email address.
I see more of these announcements coming as the govt ramps up Obama care.
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading December Tech Digest
Experts weigh in on the pros and cons of end-user security training.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-5395
Published: 2014-11-21
Multiple cross-site request forgery (CSRF) vulnerabilities in Huawei HiLink E3276 and E3236 TCPU before V200R002B470D13SP00C00 and WebUI before V100R007B100D03SP01C03, E5180s-22 before 21.270.21.00.00, and E586Bs-2 before 21.322.10.00.889 allow remote attackers to hijack the authentication of users ...

CVE-2014-7137
Published: 2014-11-21
Multiple SQL injection vulnerabilities in Dolibarr ERP/CRM before 3.6.1 allow remote authenticated users to execute arbitrary SQL commands via the (1) contactid parameter in an addcontact action, (2) ligne parameter in a swapstatut action, or (3) project_ref parameter to projet/tasks/contact.php; (4...

CVE-2014-7871
Published: 2014-11-21
SQL injection vulnerability in Open-Xchange (OX) AppSuite before 7.4.2-rev36 and 7.6.x before 7.6.0-rev23 allows remote authenticated users to execute arbitrary SQL commands via a crafted jslob API call.

CVE-2014-8090
Published: 2014-11-21
The REXML parser in Ruby 1.9.x before 1.9.3 patchlevel 551, 2.0.x before 2.0.0 patchlevel 598, and 2.1.x before 2.1.5 allows remote attackers to cause a denial of service (CPU and memory consumption) a crafted XML document containing an empty string in an entity that is used in a large number of nes...

CVE-2014-8469
Published: 2014-11-21
Cross-site scripting (XSS) vulnerability in Guests/Boots in AdminCP in Moxi9 PHPFox before 4 Beta allows remote attackers to inject arbitrary web script or HTML via the User-Agent header.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Now that the holiday season is about to begin both online and in stores, will this be yet another season of nonstop gifting to cybercriminals?