Attacks/Breaches
9/3/2013
11:20 AM
50%
50%

Energy Department Updates Breach Count, Says 53,000 Affected

DOE offers employees a free year of identity theft monitoring services after hackers steal personal info, including social security numbers.

The DOE's breach notification is also interesting for what it doesn't say. For example, it poses this rhetorical question: "How did the disclosure of personally identifiable information happen?" But the agency's own response is a non-answer: "Department of Energy networks and employee information hosted on these networks are protected in accordance with federal laws and Department of Energy policies. We are working with interagency partners on actions that can be taken against those responsible and to reduce the likelihood of another successful attack."

The agency's Friday announcement marked the first public comment issued by the agency since it confirmed that a leaked DOE memo published by The Wall Street Journal on Aug. 15, 2013 -- which said that a late July hack had compromised PII for 14,000 current and former agency employees -- was genuine. But as the agency's investigation has continued, the count of affected people has climbed to 53,000, and expanded to include dependents and contractors.

The agency said that it will notify all breach victims within the next two weeks. "If you do not receive a notification letter by September 15, 2013, you should assume it is unlikely your PII was affected," according to the notification. "If DOE later determines your PII was affected you will be notified, regardless of the date of discovery."

But the agency has directly notified affected employees as its investigation progressed. One agency employee said via email that both she and her husband, who's retired from the agency, received breach notification letters dated Aug. 16, which said that their PII was believed to have been compromised, and which also offered them a year's free credit monitoring.

Details of the investigation, however, don't appear to have been fully shared with officials at DOE facilities, which are run by contractors. Sources said that some facilities officials have literally been combing through Microsoft Exchange mailboxes to try to identify which of their personnel received a direct breach notification, so that officials at the facility can identify who was affected, as well as offer follow-up guidance and support.

The July breach marked the second time this year that the agency suffered an intrusion, following a January hack attack that was disclosed in February.

News of the July breach has been posted to internal DOE websites, where personnel can respond. One commenter claimed to have seen up to $5,000 in fraudulent charges as a result of the breach, thanks to a cell phone that was fraudulently obtained in his name. Others criticized DOE officials for doing too little to safeguard their personal information. "I will provide the hackers my shoe size, so get it right," one said.

Previous
2 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
MarciaNWC
50%
50%
MarciaNWC,
User Rank: Apprentice
9/3/2013 | 9:59:51 PM
re: Energy Department Updates Breach Count, Says 53,000 Affected
This doesn't sound very comforting: "If you do not receive a notification letter by
September 15, 2013, you should assume it is unlikely your PII was
affected," according to the notification. "If DOE later determines your
PII was affected you will be notified, regardless of the date of
discovery." All around poor breach handling.
kcfredriksson
50%
50%
kcfredriksson,
User Rank: Apprentice
9/3/2013 | 6:35:34 PM
re: Energy Department Updates Breach Count, Says 53,000 Affected
53,000 individuals. $15/month for 12 months credit monitoring. That's $9.5 million (probably a bit less if they've negotiated a bulk discount), plus administrative costs. They don't have money to patch a known software vulnerability, but they have money to pay for credit monitoring? Oh, that's right. The taxpayers -- you and me -- will pay for this. Incompetence bordering on criminal. Do you trust these people to protect our nation's nuclear weapons designs? Oh wait... they've proven unable to do that as well.
Guest
50%
50%
Guest,
User Rank: Apprentice
9/3/2013 | 6:14:37 PM
re: Energy Department Updates Breach Count, Says 53,000 Affected
53,000 affected individuals, $15/month, 12 months. That's over $9.5M in credit monitoring at list prices (probably less since they should get a little bit of a discount from what I'd pay as an individual), plus the cost of administering it. They didn't have money to patch known vulnerable software, but they have it to pay these fees (and any fines that individual states will pile on as well)? Oh, that's right. We taxpayers will pay that, not the
WKash
50%
50%
WKash,
User Rank: Apprentice
9/3/2013 | 5:40:09 PM
re: Energy Department Updates Breach Count, Says 53,000 Affected
DOE's lack of transparency and double speak about this breach tends to reinforce the bad rap govt. gets on events like this.

As the DOE's answer to its own rhetorical question (above) suggests, "Department of Energy networks and employee information hosted on these networks are protected in accordance with federal laws and Department of Energy policies"-- except when they get hacked.

Hacks happen. But it's not very reassuring for DOE or federal employees in general to be told "We (DOE) are working with interagency partners on actions that can be taken against those responsible and to reduce the likelihood of another
successful attack."
DAVIDINIL
50%
50%
DAVIDINIL,
User Rank: Apprentice
9/3/2013 | 4:52:09 PM
re: Energy Department Updates Breach Count, Says 53,000 Affected
A year's worth of free credit monitoring is a steaming pile of dung. The DOE's incompetence would now require me to go thru the hassle of enrolling for the monitoring, monitioring it, having to go thru the hassle of getting reimbursed, then remembering to cancel it at the end of the year. Then I would be barraged by sales emails for as long as I owned the email address.
I see more of these announcements coming as the govt ramps up Obama care.
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-6501
Published: 2015-03-30
The default soap.wsdl_cache_dir setting in (1) php.ini-production and (2) php.ini-development in PHP through 5.6.7 specifies the /tmp directory, which makes it easier for local users to conduct WSDL injection attacks by creating a file under /tmp with a predictable filename that is used by the get_s...

CVE-2014-9652
Published: 2015-03-30
The mconvert function in softmagic.c in file before 5.21, as used in the Fileinfo component in PHP before 5.4.37, 5.5.x before 5.5.21, and 5.6.x before 5.6.5, does not properly handle a certain string-length field during a copy of a truncated version of a Pascal string, which might allow remote atta...

CVE-2014-9653
Published: 2015-03-30
readelf.c in file before 5.22, as used in the Fileinfo component in PHP before 5.4.37, 5.5.x before 5.5.21, and 5.6.x before 5.6.5, does not consider that pread calls sometimes read only a subset of the available data, which allows remote attackers to cause a denial of service (uninitialized memory ...

CVE-2014-9705
Published: 2015-03-30
Heap-based buffer overflow in the enchant_broker_request_dict function in ext/enchant/enchant.c in PHP before 5.4.38, 5.5.x before 5.5.22, and 5.6.x before 5.6.6 allows remote attackers to execute arbitrary code via vectors that trigger creation of multiple dictionaries.

CVE-2014-9709
Published: 2015-03-30
The GetCode_ function in gd_gif_in.c in GD 2.1.1 and earlier, as used in PHP before 5.5.21 and 5.6.x before 5.6.5, allows remote attackers to cause a denial of service (buffer over-read and application crash) via a crafted GIF image that is improperly handled by the gdImageCreateFromGif function.

Dark Reading Radio
Archived Dark Reading Radio
Good hackers--aka security researchers--are worried about the possible legal and professional ramifications of President Obama's new proposed crackdown on cyber criminals.