The breach was more extensive than that originally reported by the Department. DoE Inspector General Gregory Friedman said in a report that hackers were able to gain access to names, Social Security numbers, dates of birth and other HR information that the DoE maintains to facilitate its administrative and operational needs. The Department's Management Information System (MIS) provides a gateway for users to access a system known as the DOE Employee Data Repository (DOEInfo) database – and it was this database that was infiltrated by hackers.
In spite of a number of early warning signs that certain personnel-related information systems were at risk, the auditors found that the DoE had not taken action necessary to protect the PII of a large number of its past and present employees, their dependents and many contractors. The review identified a number of technical and management issues that contributed to an environment in which the breach was possible, as well as numerous contributing factors related to inadequate management processes.
For one, the DoE didn’t implement accepted standards for protecting its networks, instead exposing the system directly to the internet. It also failed to patch known vulnerabilities due to confusion about who was in charge of making the fixes, and used complete Social Security numbers contrary to federal guidance. Pressure to keep systems running to maintain productivity exacerbated the issue, with the end result being a DoE that was essentially asleep at the switch, allowing weaknesses to go undetected and/or uncorrected.
“While we did not identify a single point of failure that led to the MIS/DOEInfo breach, the combination of the technical and managerial problems we observed set the stage for individuals with malicious intent to access the system with what appeared to be relative ease,” said Friedman.
The issue has not been limited to the July breach, either. The department has been hacked three times since May 2011, according to auditors. And it’s costing real money: the DoE is offering one year of free credit monitoring for those whose PII was compromised, to protect them from identity theft, and is giving paid leave to personnel if they need it in order to rectify issues stemming from the information heist. In total, the efforts could cost taxpayers up to $3.7 million.
“Given the unprecedented extent of this security event and loss of PII, prompt and effective corrective actions are essential,” Friedman said.
The DoE agreed to implement the inspector general’s recommendations, starting with better information management processes. That means developing a central authority to shut down networks known to be vulnerable and removing unnecessary information from data bases, including Social Security numbers, whenever possible. The DoE has also been tasked with clarifying who is responsible for the affected systems.