The U.S. Department of Energy has thrown back the covers on a July breach that exposed the personal information of more than 104,000 individuals, painting a less than flattering portrait of IT and agency management failures around vulnerability management, access controls and a general lack of communication between decision makers.
Hackers were able to penetrate a Web-facing application and steal personal information on 104,179 current and former employees, dependents and contractors. They were able to get in quietly and get out with names, addresses, Social Security numbers, dates of birth and bank account information, all in unencrypted data formats.
Worse, the DOE failed to live up to industry standards and government mandates around not only encryption of sensitive data, but using Social Security numbers as identifiers, running IT systems with unpatched critical vulnerabilities and outdated software.
The most damning aspect to the breach was that a $4,200 software update, purchased in March, that would have prevented the breach and instead sat for five months in a testing environment, cost significantly less than the expected $3.7 million price tag for credit monitoring and other recovery costs.
“In spite of a number of early warning signs that certain personnel-related information systems were at risk, the Department had not taken action necessary to protect the PII of a large number of its past and present employees, their dependents and many contractors,” Inspector General Gregory Friedman wrote in a special report released last week.
The report said numerous technical and management shortcomings conspired to facilitate the breach, which was the third at the agency since 2011, yet the first to result in significant data loss.
Hackers were able to access the Web-facing Management Information Systems (MIS) front end for the DOE Employee Data Repository, also known as the DOEInfo database. In addition to personally identifiable information, hackers made off with HSPD12 badge information as well as security question-and-answer information used for password resets.
In addition to patching failures, decision makers in the Office of the CIO and Office of the CFO—the business owners of the MIS and DOEInfo systems—knew little of what the other was doing. The two systems, despite being interconnected, were not integrated securely, the report said. Systems that had reached end-of-life were still running, including the compromised MIS front end. The real kicker is that the Office of the CIO had not certified—as required—or provided MIS with the authorization to operate.
Neither office was completely aware of their respective operating environments or of system inventory. Critically vulnerable systems were not patched in a timely fashion and of the 30 systems integrated with the DOEInfo database, two of those were no longer used, including one that was breached that was still storing personal data.
“Officials told us that they lacked the authority to impose restrictions on system operation or take other corrective measures when known security vulnerabilities were not addressed,” the report said, citing competing priorities as a contributor to the circumstances that facilitated the attack. “We could not determine with certainty whether the lack of authority, in all instances, was real or only perceived.”
One glaring example: the Office of the CIO said system owners prohibited timely patching because downtime would interfere with productivity; those same system owners, meanwhile said security issues were sent to the CIO office, which never responded.
“We found that communication issues within the OCIO likely contributed to the recent breach,” the report said. “Specifically, system anomalies discovered by an application developer and reported to the OCIO prior to the breach were not fully investigated prior to being corrected. In this case, we question the thoroughness of Department’s analysis of the reported anomalies.”
As for the attack, the report concluded that the hackers used readily available exploits to get past the MIS front end and attack the DOEInfo database. The report cited evidence the MIS front end had not been patched in years, and that an operating system utility and third party developer application had not been updated since 2011. The vulnerability exploited by the hackers, meanwhile, was identified by the vendor in question in January.
The Office of the CIO, which is responsible for patching at the agency, said it purchased a software update for the MIS front end in March, but functionality issues with interconnected systems left it in a test environment and prevented it from being deployed. Numerous Inspector-General reports throughout the years have pointed out shortcomings with vulnerability management in the agency; scanning and monitoring on this particular app were not done until March and the vulnerabilities were ignored, the report said.
“The Department can begin to rebuild trust by revamping its headquarters’ cyber security program and control environment, enhancing communications and coordination in a number of areas related to cyber security and safeguarding PII and moving away from the ‘stove piping’ approach to managing information systems and data,” the report said, adding recommendations that include identifying all externally facing systems, implementing continuous monitoring, removing unnecessary information from the DOEInfo database, and encrypting sensitive data.