Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

Energy Dept. Hack Details Emerge

Exclusive: Unpatched ColdFusion server containing employee information was hacked; agency claims lack of budget to put proper fixes in place.

The Department of Energy has disclosed new information concerning a recent cyberattack that compromised employees' personally identifying information (PII).

The sensitive PII data compromised was limited to names, dates of birth and social security numbers, according to an internal DOE memo distributed on Aug. 29. It said the stored information did not include banking, credit card or clearance information.

A spokesman for the DOE wasn't immediately available to confirm that it sent the memo, but an agency source confirmed its authenticity. Agency officials have so far declined to respond to all requests for comment on the breach.

[ What can we learn from the DOE breach? Read Department Of Energy Cyberattack: 5 Takeaways. ]

The data breach was first disclosed to employees in an Aug. 14 email, which said that no confidential DOE information had been stolen, and that data on 14,000 employees was compromised. The agency promised to notify all affected employees individually by the end of August.

The Aug. 29 memo revealed that the system hacked by attackers is called "DOEInfo." The system is owned and maintained by the agency's Office of the Chief Financial Officer.

According to agency sources, who spoke on condition of anonymity, the hacked application was Internet-accessible and written in ColdFusion, a rapid Web application development platform -- developed by Allaire, then purchased by Adobe in 2005 -- that was originally designed to allow HTML pages to be connected to databases. But the version of ColdFusion being used for DOEInfo remained outdated and vulnerable to known exploits.

According to DOE sources, the problem of insecure systems that contain PII is widely known at the agency but difficult to change since more than 1,000 systems tap DOEInfo, which maintains a single user ID for each employee, tied to employee access permissions. "Our logins still use our initials and parts of our SSN (duh), who would think that was good enough in the first place?" one source said in an email message. "Complaining doesn't help. The answer is always, it costs too much to redo our PII."

The breach notification was also published on a DOE intranet, where some employees complained about a lack of timely, forthright communication about the breach. Some questioned whether agency officials are covering up the full extent of the breach.

The July breach marked the second time this year that DOE employee information was compromised in a cyberattack, following a January intrusion.

The memo distributed on Aug. 29 stated "The Office of Cyber Security is working with organizations at DOE to obtain verifiable information and direction," presumably referring to the agency's participation in the breach investigation, which also involves federal law enforcement agencies. "As information becomes available, we will inform employees through e-mail and updates to the article," it continued, referring to a copy of the Thursday data breach notification that was also posted to an agency intranet.

According to a spokeswoman, the DOE has offered a year's worth of free credit monitoring services to affected employees.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
builder7
50%
50%
builder7,
User Rank: Apprentice
9/2/2013 | 4:50:06 AM
re: Energy Dept. Hack Details Emerge
It is just that they lack of the tools necessary to know what to do, like knowledge - but of course they have been hired because of who they know!
builder7
50%
50%
builder7,
User Rank: Apprentice
9/2/2013 | 4:48:36 AM
re: Energy Dept. Hack Details Emerge
So, these are the people who do security checks on educated individuals who work for them when they cannot even buy the proper software so that they can do their job? How can one trust the people that do these security checks on people when they themselves cannot even support a modicum of security? It seems to me that it is another case of the good old boys running the show without having the smarts to actually do that. What are we going to do if we get attacked and our nuclear plants and electrical grid are targeted - trust the DOE?
erlrodd
50%
50%
erlrodd,
User Rank: Apprentice
8/31/2013 | 1:37:08 PM
re: Energy Dept. Hack Details Emerge
When they say they "don't have funds to update", this is a political statement meant for outside consumption. In the "real" world, it means "other things are higher priorities than security." Maybe so. However, I fear that government bureaucrats are so used to an unlimited funds environment that the concept of priorities becomes foreign to them!
Thomas Claburn
50%
50%
Thomas Claburn,
User Rank: Ninja
8/30/2013 | 7:29:52 PM
re: Energy Dept. Hack Details Emerge
"Taking Charge"? The FTC pamphlet should really be called "Surrendering To The Inevitable." Taking Charge would be avoiding this sort of thing in the first place.
WKash
50%
50%
WKash,
User Rank: Apprentice
8/30/2013 | 7:19:11 PM
re: Energy Dept. Hack Details Emerge
Thanks for sharing the details on why this happened. It offers yet another example of why agency leaders can't just shrug their shoulders about legacy software, especially for the web.
Edge-DRsplash-10-edge-articles
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
News
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Commentary
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-29040
PUBLISHED: 2021-05-16
The JSON web services in Liferay Portal 7.3.4 and earlier, and Liferay DXP 7.0 before fix pack 97, 7.1 before fix pack 20 and 7.2 before fix pack 10 may provide overly verbose error messages, which allows remote attackers to use the contents of error messages to help launch another, more focused att...
CVE-2021-29041
PUBLISHED: 2021-05-16
Denial-of-service (DoS) vulnerability in the Multi-Factor Authentication module in Liferay DXP 7.3 before fix pack 1 allows remote authenticated attackers to prevent any user from authenticating by (1) enabling Time-based One-time password (TOTP) on behalf of the other user or (2) modifying the othe...
CVE-2021-29047
PUBLISHED: 2021-05-16
The SimpleCaptcha implementation in Liferay Portal 7.3.4, 7.3.5 and Liferay DXP 7.3 before fix pack 1 does not invalidate CAPTCHA answers after it is used, which allows remote attackers to repeatedly perform actions protected by a CAPTCHA challenge by reusing the same CAPTCHA answer.
CVE-2021-22668
PUBLISHED: 2021-05-16
Delta Industrial Automation CNCSoft ScreenEditor Versions 1.01.28 (with ScreenEditor Version 1.01.2) and prior are vulnerable to an out-of-bounds read while processing project files, which may allow an attacker to execute arbitrary code.
CVE-2021-29039
PUBLISHED: 2021-05-16
Cross-site scripting (XSS) vulnerability in the Asset module's categories administration page in Liferay Portal 7.3.4 allows remote attackers to inject arbitrary web script or HTML via the site name.