Attacks/Breaches
9/3/2013
11:20 AM
50%
50%

Energy Department Updates Breach Count, Says 53,000 Affected

DOE offers employees a free year of identity theft monitoring services after hackers steal personal info, including social security numbers.

9 Android Apps To Improve Security, Privacy
9 Android Apps To Improve Security, Privacy
(click image for larger view)
The Department of Energy (DOE) has confirmed reports that it suffered a data breach in July that lead to the theft of employees' personally identifying information (PII).

"The department has now identified approximately 53,000 past and current federal employees, including dependents and contractors, whose name, social security number, and date of birth were compromised by this cyber incident," read a July 2013 Cyber Incident breach notification posted Friday to the DOE's public-facing website.

The July breach involved an outdated, publicly accessible ColdFusion system known as DOEInfo, which sources said hadn't been patched against known vulnerabilities. DOEInfo is an employee database owned and maintained by the agency's Office of the Chief Financial Officer.

"Based on the findings of the department's ongoing investigation into this incident, we do believe PII theft might have been the primary purpose of the attack," according to the notification. "Accordingly, the Department encourages each affected individual to be extra vigilant and to carefully monitor bank statements, credit card statements, emails and phone calls relating to recent financial transactions."

[ How dependable are iris scans? Read Iris Scans: Security Technology In Action. ]

In a phone interview Tuesday, an agency spokeswoman said that all affected employees have been offered a free year of identity theft monitoring services.

As is standard practice, the DOE breach is being investigated by the agency's Cybersecurity office, the Office of Health, Safety and Security, and the Inspector General's office, as well as federal law enforcement agencies. "Once the full nature and extent of this incident is known, the Department will implement a full remediation plan," said the notification.

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
MarciaNWC
50%
50%
MarciaNWC,
User Rank: Apprentice
9/3/2013 | 9:59:51 PM
re: Energy Department Updates Breach Count, Says 53,000 Affected
This doesn't sound very comforting: "If you do not receive a notification letter by
September 15, 2013, you should assume it is unlikely your PII was
affected," according to the notification. "If DOE later determines your
PII was affected you will be notified, regardless of the date of
discovery." All around poor breach handling.
kcfredriksson
50%
50%
kcfredriksson,
User Rank: Apprentice
9/3/2013 | 6:35:34 PM
re: Energy Department Updates Breach Count, Says 53,000 Affected
53,000 individuals. $15/month for 12 months credit monitoring. That's $9.5 million (probably a bit less if they've negotiated a bulk discount), plus administrative costs. They don't have money to patch a known software vulnerability, but they have money to pay for credit monitoring? Oh, that's right. The taxpayers -- you and me -- will pay for this. Incompetence bordering on criminal. Do you trust these people to protect our nation's nuclear weapons designs? Oh wait... they've proven unable to do that as well.
Guest
50%
50%
Guest,
User Rank: Apprentice
9/3/2013 | 6:14:37 PM
re: Energy Department Updates Breach Count, Says 53,000 Affected
53,000 affected individuals, $15/month, 12 months. That's over $9.5M in credit monitoring at list prices (probably less since they should get a little bit of a discount from what I'd pay as an individual), plus the cost of administering it. They didn't have money to patch known vulnerable software, but they have it to pay these fees (and any fines that individual states will pile on as well)? Oh, that's right. We taxpayers will pay that, not the
WKash
50%
50%
WKash,
User Rank: Apprentice
9/3/2013 | 5:40:09 PM
re: Energy Department Updates Breach Count, Says 53,000 Affected
DOE's lack of transparency and double speak about this breach tends to reinforce the bad rap govt. gets on events like this.

As the DOE's answer to its own rhetorical question (above) suggests, "Department of Energy networks and employee information hosted on these networks are protected in accordance with federal laws and Department of Energy policies"-- except when they get hacked.

Hacks happen. But it's not very reassuring for DOE or federal employees in general to be told "We (DOE) are working with interagency partners on actions that can be taken against those responsible and to reduce the likelihood of another
successful attack."
DAVIDINIL
50%
50%
DAVIDINIL,
User Rank: Apprentice
9/3/2013 | 4:52:09 PM
re: Energy Department Updates Breach Count, Says 53,000 Affected
A year's worth of free credit monitoring is a steaming pile of dung. The DOE's incompetence would now require me to go thru the hassle of enrolling for the monitoring, monitioring it, having to go thru the hassle of getting reimbursed, then remembering to cancel it at the end of the year. Then I would be barraged by sales emails for as long as I owned the email address.
I see more of these announcements coming as the govt ramps up Obama care.
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-7266
Published: 2015-02-01
Algorithmic complexity vulnerability in Cybozu Remote Service Manager through 2.3.0 and 3.x through 3.1.2 allows remote attackers to cause a denial of service (CPU consumption) via vectors that trigger colliding hash-table keys. NOTE: this vulnerability exists because of an incomplete fix for CVE-2...

CVE-2014-7269
Published: 2015-02-01
ASUS JAPAN RT-AC87U routers with firmware 3.0.0.4.378.3754 and earlier, RT-AC68U routers with firmware 3.0.0.4.376.3715 and earlier, RT-AC56S routers with firmware 3.0.0.4.376.3715 and earlier, RT-N66U routers with firmware 3.0.0.4.376.3715 and earlier, and RT-N56U routers with firmware 3.0.0.4.376....

CVE-2014-7270
Published: 2015-02-01
Cross-site request forgery (CSRF) vulnerability on ASUS JAPAN RT-AC87U routers with firmware 3.0.0.4.378.3754 and earlier, RT-AC68U routers with firmware 3.0.0.4.376.3715 and earlier, RT-AC56S routers with firmware 3.0.0.4.376.3715 and earlier, RT-N66U routers with firmware 3.0.0.4.376.3715 and earl...

CVE-2014-8630
Published: 2015-02-01
Bugzilla before 4.0.16, 4.1.x and 4.2.x before 4.2.12, 4.3.x and 4.4.x before 4.4.7, and 5.x before 5.0rc1 allows remote authenticated users to execute arbitrary commands by leveraging the editcomponents privilege and triggering crafted input to a two-argument Perl open call, as demonstrated by shel...

CVE-2014-9200
Published: 2015-02-01
Stack-based buffer overflow in an unspecified DLL file in a DTM development kit in Schneider Electric Unity Pro, SoMachine, SoMove, SoMove Lite, Modbus Communication Library 2.2.6 and earlier, CANopen Communication Library 1.0.2 and earlier, EtherNet/IP Communication Library 1.0.0 and earlier, EM X8...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
If you’re a security professional, you’ve probably been asked many questions about the December attack on Sony. On Jan. 21 at 1pm eastern, you can join a special, one-hour Dark Reading Radio discussion devoted to the Sony hack and the issues that may arise from it.