Attacks/Breaches
9/3/2013
11:20 AM
Connect Directly
RSS
E-Mail
50%
50%

Energy Department Updates Breach Count, Says 53,000 Affected

DOE offers employees a free year of identity theft monitoring services after hackers steal personal info, including social security numbers.

The DOE's breach notification is also interesting for what it doesn't say. For example, it poses this rhetorical question: "How did the disclosure of personally identifiable information happen?" But the agency's own response is a non-answer: "Department of Energy networks and employee information hosted on these networks are protected in accordance with federal laws and Department of Energy policies. We are working with interagency partners on actions that can be taken against those responsible and to reduce the likelihood of another successful attack."

The agency's Friday announcement marked the first public comment issued by the agency since it confirmed that a leaked DOE memo published by The Wall Street Journal on Aug. 15, 2013 -- which said that a late July hack had compromised PII for 14,000 current and former agency employees -- was genuine. But as the agency's investigation has continued, the count of affected people has climbed to 53,000, and expanded to include dependents and contractors.

The agency said that it will notify all breach victims within the next two weeks. "If you do not receive a notification letter by September 15, 2013, you should assume it is unlikely your PII was affected," according to the notification. "If DOE later determines your PII was affected you will be notified, regardless of the date of discovery."

But the agency has directly notified affected employees as its investigation progressed. One agency employee said via email that both she and her husband, who's retired from the agency, received breach notification letters dated Aug. 16, which said that their PII was believed to have been compromised, and which also offered them a year's free credit monitoring.

Details of the investigation, however, don't appear to have been fully shared with officials at DOE facilities, which are run by contractors. Sources said that some facilities officials have literally been combing through Microsoft Exchange mailboxes to try to identify which of their personnel received a direct breach notification, so that officials at the facility can identify who was affected, as well as offer follow-up guidance and support.

The July breach marked the second time this year that the agency suffered an intrusion, following a January hack attack that was disclosed in February.

News of the July breach has been posted to internal DOE websites, where personnel can respond. One commenter claimed to have seen up to $5,000 in fraudulent charges as a result of the breach, thanks to a cell phone that was fraudulently obtained in his name. Others criticized DOE officials for doing too little to safeguard their personal information. "I will provide the hackers my shoe size, so get it right," one said.

Previous
2 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
MarciaNWC
50%
50%
MarciaNWC,
User Rank: Apprentice
9/3/2013 | 9:59:51 PM
re: Energy Department Updates Breach Count, Says 53,000 Affected
This doesn't sound very comforting: "If you do not receive a notification letter by
September 15, 2013, you should assume it is unlikely your PII was
affected," according to the notification. "If DOE later determines your
PII was affected you will be notified, regardless of the date of
discovery." All around poor breach handling.
kcfredriksson
50%
50%
kcfredriksson,
User Rank: Apprentice
9/3/2013 | 6:35:34 PM
re: Energy Department Updates Breach Count, Says 53,000 Affected
53,000 individuals. $15/month for 12 months credit monitoring. That's $9.5 million (probably a bit less if they've negotiated a bulk discount), plus administrative costs. They don't have money to patch a known software vulnerability, but they have money to pay for credit monitoring? Oh, that's right. The taxpayers -- you and me -- will pay for this. Incompetence bordering on criminal. Do you trust these people to protect our nation's nuclear weapons designs? Oh wait... they've proven unable to do that as well.
Guest
50%
50%
Guest,
User Rank: Apprentice
9/3/2013 | 6:14:37 PM
re: Energy Department Updates Breach Count, Says 53,000 Affected
53,000 affected individuals, $15/month, 12 months. That's over $9.5M in credit monitoring at list prices (probably less since they should get a little bit of a discount from what I'd pay as an individual), plus the cost of administering it. They didn't have money to patch known vulnerable software, but they have it to pay these fees (and any fines that individual states will pile on as well)? Oh, that's right. We taxpayers will pay that, not the
WKash
50%
50%
WKash,
User Rank: Apprentice
9/3/2013 | 5:40:09 PM
re: Energy Department Updates Breach Count, Says 53,000 Affected
DOE's lack of transparency and double speak about this breach tends to reinforce the bad rap govt. gets on events like this.

As the DOE's answer to its own rhetorical question (above) suggests, "Department of Energy networks and employee information hosted on these networks are protected in accordance with federal laws and Department of Energy policies"-- except when they get hacked.

Hacks happen. But it's not very reassuring for DOE or federal employees in general to be told "We (DOE) are working with interagency partners on actions that can be taken against those responsible and to reduce the likelihood of another
successful attack."
DAVIDINIL
50%
50%
DAVIDINIL,
User Rank: Apprentice
9/3/2013 | 4:52:09 PM
re: Energy Department Updates Breach Count, Says 53,000 Affected
A year's worth of free credit monitoring is a steaming pile of dung. The DOE's incompetence would now require me to go thru the hassle of enrolling for the monitoring, monitioring it, having to go thru the hassle of getting reimbursed, then remembering to cancel it at the end of the year. Then I would be barraged by sales emails for as long as I owned the email address.
I see more of these announcements coming as the govt ramps up Obama care.
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading, September 16, 2014
Malicious software is morphing to be more targeted, stealthy, and destructive. Are you prepared to stop it?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-2886
Published: 2014-09-18
GKSu 2.0.2, when sudo-mode is not enabled, uses " (double quote) characters in a gksu-run-helper argument, which allows attackers to execute arbitrary commands in certain situations involving an untrusted substring within this argument, as demonstrated by an untrusted filename encountered during ins...

CVE-2014-4352
Published: 2014-09-18
Address Book in Apple iOS before 8 relies on the hardware UID for its encryption key, which makes it easier for physically proximate attackers to obtain sensitive information by obtaining this UID.

CVE-2014-4353
Published: 2014-09-18
Race condition in iMessage in Apple iOS before 8 allows attackers to obtain sensitive information by leveraging the presence of an attachment after the deletion of its parent (1) iMessage or (2) MMS.

CVE-2014-4354
Published: 2014-09-18
Apple iOS before 8 enables Bluetooth during all upgrade actions, which makes it easier for remote attackers to bypass intended access restrictions via a Bluetooth session.

CVE-2014-4356
Published: 2014-09-18
Apple iOS before 8 does not follow the intended configuration setting for text-message preview on the lock screen, which allows physically proximate attackers to obtain sensitive information by reading this screen.

Best of the Web
Dark Reading Radio