9 Android Apps To Improve Security, Privacy

The Department of Energy (DOE) has confirmed reports that it suffered a data breach in July that lead to the theft of employees' personally identifying information (PII).

"The department has now identified approximately 53,000 past and current federal employees, including dependents and contractors, whose name, social security number, and date of birth were compromised by this cyber incident," read a July 2013 Cyber Incident breach notification posted Friday to the DOE's public-facing website.

The July breach involved an outdated, publicly accessible ColdFusion system known as DOEInfo, which sources said hadn't been patched against known vulnerabilities. DOEInfo is an employee database owned and maintained by the agency's Office of the Chief Financial Officer.

"Based on the findings of the department's ongoing investigation into this incident, we do believe PII theft might have been the primary purpose of the attack," according to the notification. "Accordingly, the Department encourages each affected individual to be extra vigilant and to carefully monitor bank statements, credit card statements, emails and phone calls relating to recent financial transactions."

[ How dependable are iris scans? Read Iris Scans: Security Technology In Action. ]

In a phone interview Tuesday, an agency spokeswoman said that all affected employees have been offered a free year of identity theft monitoring services.

As is standard practice, the DOE breach is being investigated by the agency's Cybersecurity office, the Office of Health, Safety and Security, and the Inspector General's office, as well as federal law enforcement agencies. "Once the full nature and extent of this incident is known, the Department will implement a full remediation plan," said the notification. The DOE's breach notification is also interesting for what it doesn't say. For example, it poses this rhetorical question: "How did the disclosure of personally identifiable information happen?" But the agency's own response is a non-answer: "Department of Energy networks and employee information hosted on these networks are protected in accordance with federal laws and Department of Energy policies. We are working with interagency partners on actions that can be taken against those responsible and to reduce the likelihood of another successful attack."

The agency's Friday announcement marked the first public comment issued by the agency since it confirmed that a leaked DOE memo published by The Wall Street Journal on Aug. 15, 2013 -- which said that a late July hack had compromised PII for 14,000 current and former agency employees -- was genuine. But as the agency's investigation has continued, the count of affected people has climbed to 53,000, and expanded to include dependents and contractors.

The agency said that it will notify all breach victims within the next two weeks. "If you do not receive a notification letter by September 15, 2013, you should assume it is unlikely your PII was affected," according to the notification. "If DOE later determines your PII was affected you will be notified, regardless of the date of discovery."

But the agency has directly notified affected employees as its investigation progressed. One agency employee said via email that both she and her husband, who's retired from the agency, received breach notification letters dated Aug. 16, which said that their PII was believed to have been compromised, and which also offered them a year's free credit monitoring.

Details of the investigation, however, don't appear to have been fully shared with officials at DOE facilities, which are run by contractors. Sources said that some facilities officials have literally been combing through Microsoft Exchange mailboxes to try to identify which of their personnel received a direct breach notification, so that officials at the facility can identify who was affected, as well as offer follow-up guidance and support.

The July breach marked the second time this year that the agency suffered an intrusion, following a January hack attack that was disclosed in February.

News of the July breach has been posted to internal DOE websites, where personnel can respond. One commenter claimed to have seen up to $5,000 in fraudulent charges as a result of the breach, thanks to a cell phone that was fraudulently obtained in his name. Others criticized DOE officials for doing too little to safeguard their personal information. "I will provide the hackers my shoe size, so get it right," one said.