Officials at the United States Census Bureau say that the attackers who compromised one of the bureau’s databases last week did not get access to any confidential information, but only data such as names and phone numbers of organizations that submit information to the Federal Audit Clearinghouse.
The data breach appears to have hit only the FAC, an office within the Census Bureau that is tasked with collecting information from states, counties, and towns that receive federal financial assistance. Bureau officials said that the attackers were able to compromise the FAC database through a faulty configuration setting.
“The Federal Audit Clearinghouse is used to collect single audit reporting packages from state and local governments, non-profit organizations, and Indian tribes expending Federal awards. The federal awarding agencies use the single audit reports to ensure program compliance. We were in the process of making additional Clearinghouse information available via the Internet next year,” a blog post from John H. Thompson, director of the Census Bureau, says.
“Within 90 minutes of learning of the breach, we made the system inaccessible. It will remain offline until we can complete our thorough investigation and take steps to ensure the systems integrity in the future.”
There has not been any information released on how many organizations are affected by the breach, but Thompson said that the bureau’s security team hasn’t found any evidence that the attackers were able to move from the FAC database to any other internal systems.
“It appears the database was compromised through a configuration setting that allowed the attacker to gain access to the four files posted to the hacker’s site. The hackers acquired the data illegally, but as I indicated above, the Clearinghouse site does not store any confidential household or business data collected by the Census Bureau,” Thompson said.
“That information remains safe, secure and on an internal network segmented apart from the external site and the affected database. Over the last three days, we have seen no indication that there was any access to internal systems.”
It has been a tough year for the federal government when it comes to data breaches. The Census Bureau attack follows the massive compromise of the Office of Personnel Management that came to light in the spring. The OPM breach resulted in the compromise of personal information belonging to more than 20 million people, data that was taken from background check investigations. Some of the stolen information includes fingerprints and other highly sensitive data. Congress has come down hard on OPM in the last few months, and the breach resulted in the resignation of OPM Director Katherine Archuleta.
The Census Bureau’s Thompson said the agency will work to improve its security defenses in the wake of the breach.
“The IT security office is continuing its investigation, and they will further strengthen our security systems based on what they learn. I assure you that we will continue to safeguard the information and data of both the public and our employees,” Thompson said.