Attacks/Breaches
9/3/2013
11:20 AM
Connect Directly
RSS
E-Mail
50%
50%

Energy Department Updates Breach Count, Says 53,000 Affected

DOE offers employees a free year of identity theft monitoring services after hackers steal personal info, including social security numbers.

9 Android Apps To Improve Security, Privacy
9 Android Apps To Improve Security, Privacy
(click image for larger view)
The Department of Energy (DOE) has confirmed reports that it suffered a data breach in July that lead to the theft of employees' personally identifying information (PII).

"The department has now identified approximately 53,000 past and current federal employees, including dependents and contractors, whose name, social security number, and date of birth were compromised by this cyber incident," read a July 2013 Cyber Incident breach notification posted Friday to the DOE's public-facing website.

The July breach involved an outdated, publicly accessible ColdFusion system known as DOEInfo, which sources said hadn't been patched against known vulnerabilities. DOEInfo is an employee database owned and maintained by the agency's Office of the Chief Financial Officer.

"Based on the findings of the department's ongoing investigation into this incident, we do believe PII theft might have been the primary purpose of the attack," according to the notification. "Accordingly, the Department encourages each affected individual to be extra vigilant and to carefully monitor bank statements, credit card statements, emails and phone calls relating to recent financial transactions."

[ How dependable are iris scans? Read Iris Scans: Security Technology In Action. ]

In a phone interview Tuesday, an agency spokeswoman said that all affected employees have been offered a free year of identity theft monitoring services.

As is standard practice, the DOE breach is being investigated by the agency's Cybersecurity office, the Office of Health, Safety and Security, and the Inspector General's office, as well as federal law enforcement agencies. "Once the full nature and extent of this incident is known, the Department will implement a full remediation plan," said the notification.

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
DAVIDINIL
50%
50%
DAVIDINIL,
User Rank: Apprentice
9/3/2013 | 4:52:09 PM
re: Energy Department Updates Breach Count, Says 53,000 Affected
A year's worth of free credit monitoring is a steaming pile of dung. The DOE's incompetence would now require me to go thru the hassle of enrolling for the monitoring, monitioring it, having to go thru the hassle of getting reimbursed, then remembering to cancel it at the end of the year. Then I would be barraged by sales emails for as long as I owned the email address.
I see more of these announcements coming as the govt ramps up Obama care.
WKash
50%
50%
WKash,
User Rank: Apprentice
9/3/2013 | 5:40:09 PM
re: Energy Department Updates Breach Count, Says 53,000 Affected
DOE's lack of transparency and double speak about this breach tends to reinforce the bad rap govt. gets on events like this.

As the DOE's answer to its own rhetorical question (above) suggests, "Department of Energy networks and employee information hosted on these networks are protected in accordance with federal laws and Department of Energy policies"-- except when they get hacked.

Hacks happen. But it's not very reassuring for DOE or federal employees in general to be told "We (DOE) are working with interagency partners on actions that can be taken against those responsible and to reduce the likelihood of another
successful attack."
Guest
50%
50%
Guest,
User Rank: Apprentice
9/3/2013 | 6:14:37 PM
re: Energy Department Updates Breach Count, Says 53,000 Affected
53,000 affected individuals, $15/month, 12 months. That's over $9.5M in credit monitoring at list prices (probably less since they should get a little bit of a discount from what I'd pay as an individual), plus the cost of administering it. They didn't have money to patch known vulnerable software, but they have it to pay these fees (and any fines that individual states will pile on as well)? Oh, that's right. We taxpayers will pay that, not the
kcfredriksson
50%
50%
kcfredriksson,
User Rank: Apprentice
9/3/2013 | 6:35:34 PM
re: Energy Department Updates Breach Count, Says 53,000 Affected
53,000 individuals. $15/month for 12 months credit monitoring. That's $9.5 million (probably a bit less if they've negotiated a bulk discount), plus administrative costs. They don't have money to patch a known software vulnerability, but they have money to pay for credit monitoring? Oh, that's right. The taxpayers -- you and me -- will pay for this. Incompetence bordering on criminal. Do you trust these people to protect our nation's nuclear weapons designs? Oh wait... they've proven unable to do that as well.
MarciaNWC
50%
50%
MarciaNWC,
User Rank: Apprentice
9/3/2013 | 9:59:51 PM
re: Energy Department Updates Breach Count, Says 53,000 Affected
This doesn't sound very comforting: "If you do not receive a notification letter by
September 15, 2013, you should assume it is unlikely your PII was
affected," according to the notification. "If DOE later determines your
PII was affected you will be notified, regardless of the date of
discovery." All around poor breach handling.
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-2413
Published: 2014-10-20
Cross-site scripting (XSS) vulnerability in the ja_purity template for Joomla! 1.5.26 and earlier allows remote attackers to inject arbitrary web script or HTML via the Mod* cookie parameter to html/modules.php.

CVE-2012-5244
Published: 2014-10-20
Multiple SQL injection vulnerabilities in Banana Dance B.2.6 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) return, (2) display, (3) table, or (4) search parameter to functions/suggest.php; (5) the id parameter to functions/widgets.php, (6) the category parameter to...

CVE-2012-5694
Published: 2014-10-20
Multiple SQL injection vulnerabilities in Bulb Security Smartphone Pentest Framework (SPF) before 0.1.3 allow remote attackers to execute arbitrary SQL commands via the (1) agentPhNo, (2) controlPhNo, (3) agentURLPath, (4) agentControlKey, or (5) platformDD1 parameter to frameworkgui/attach2Agents.p...

CVE-2012-5695
Published: 2014-10-20
Multiple cross-site request forgery (CSRF) vulnerabilities in Bulb Security Smartphone Pentest Framework (SPF) 0.1.2 through 0.1.4 allow remote attackers to hijack the authentication of administrators for requests that conduct (1) shell metacharacter or (2) SQL injection attacks or (3) send an SMS m...

CVE-2012-5696
Published: 2014-10-20
Bulb Security Smartphone Pentest Framework (SPF) before 0.1.3 does not properly restrict access to frameworkgui/config, which allows remote attackers to obtain the plaintext database password via a direct request.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.