The 25,000 employees and contractors from the U.S. Department of Agriculture whose personal data was at risk after last month's computer break-in can exhale -- for now. The agency informed them this week that forensic analysis concluded no personal identity information was downloaded or moved to a non-agency computer. (See Data Losses Hit Four More.)
But does that mean the data wasn't viewed by hackers? There's no way to know for sure until the data gets exploited, security experts say. "They are a little optimistic here," says Andrew Jaquith, senior analyst with Yankee Group Research Inc. "It's easy to get stuff without leaving an audit trail. They don't say anything about local access. Did somebody with a USB drive access it and copy it?"
A USDA spokesman couldn't confirm whether the data had at the very least been eyeballed by intruders. "We are confident that there wasn't any personal data transferred outside the [USDA computer] system or downloaded," he says.
The agency is apparently confident about the safety of the personal data, because it also announced it was halting the free credit-monitoring services it had offered the potentially victimized users, who are located in the Washington, D.C., area.
The USDA Inspector General's office is handling the investigation into the break-in. Its forensics analysis studied computer logs from a machine involved in the breach and concluded personal data hadn't been moved.
In a press release, USDA deputy secretary Chuck Conner acknowledged that hackers attempt break-ins at the agency on an average of 2,000 times a day. "We take very seriously our responsibility to protect personal information," Conner said in a USDA press release.
The agency says it's reviewing how to minimize the amount of personal data it stores on its systems as well as its security measures to protect such data. Yankee's Jaquith says reducing personal data on the agency's systems is a smart move.
Kelly Jackson Higgins, Senior Editor, Dark Reading