Details Behind a Very Costly BreachIn-Depth Assessment of Hack on Energy Department System
A combination of technical and managerial problems set the stage for hackers to breach last summer the Department of Energy's Employee Data Repository database, known as DOEInfo, a new report shows. And the incident that exposed the personally identifiable information of at least 104,000 individuals proved costly.
In a newly issued special report by DoE's inspector general, auditors estimate the cost of the breach to be at least $3.7 million, including $1.6 million for credit monitoring costs for victims and salaries for call center employees handling breach inquiries as well as $2.1 million in lost productivity when employees took time off from work to address the personal consequences of the breach.
DoE Inspector General Gregory Friedman didn't identify a single point of failure that led to the breach in the special report, but says a combination of technical and managerial problems set the stage for hackers to access the system with relative ease.
"The attackers in this case were able to use exploits commonly available on the Internet to gain unfettered access to the relevant systems and exfiltrate large amounts of data - information that could be used to damage the financial and personal interests of many individuals," he says.
Receiving DHS Help
DoE spokeswoman Niketa Kumar says the department takes the security of its databases and systems very seriously and appreciates the inspector general's review, which Robert Brese, the department's chief information officer, had requested. "The department continues to work with its federal partners, including the Department of Homeland Security, to put in place new protections to further strengthen our cyberdefenses and restrict unauthorized disclosure," Kumar says.
The department is examining all of its online systems and applications and implementing new protections to further strengthen cyber-defenses and restrict unauthorized access, a process started immediately after the breach. By the end of January, DoE says it expects to remove all unnecessary information and Social Security numbers where feasible and add encryption tools to protect the remaining information.
The department also says it will implement continuous monitoring of all DoE systems and strengthen its overall capability to respond quickly and effectively to any cyber-incident.
The Breach Timeline
On July 2, while investigating an unrelated matter, an application developer noticed an anomaly in the DOEInfo system logs while working for the chief financial officer's office, the special report reveals. The developer reported the anomaly to the Energy Department's IT services organization, which reports to the CIO.
Twenty-two days later, hackers breached the department's management information system server, according to a subsequent forensic analysis. The next day, DoE discovered another anomaly: The server ran out of space and failed to respond to a normal data request even though CFO office representatives contend there should have been ample memory available. Rather than investigate, computer operators deleted the largest unnecessary data file on the server to allow the system to function normally.
On July 26, attackers successfully exfiltrated data from the DOEInfo database through the MIS server when they elevated their privileges to a role that provided unlimited access to the database and other files on the MIS server. They then ran more than 600 queries against the system, according to the special report.
DoE discovered the breach on Aug. 8 and took the server offline. Ten days later, DoE reactivated the sever on the internal network after rebuilding the virtual machine and Web application using a clean operating system and an updated version of the application software.
In late October, authorities arrested Lauri Love, 28, of Stradishall, England, for hacking into the DoE and other government systems (see Brit Charged with Hacking Federal IT). In an online conversation obtained by law enforcement, Love and his conspirators discussed the data breach in real time while commencing the hack. Love commented, according to Justice Department records, "they [the DoE] must have about 30k employees" and he then cut and pasted the personal information of various employees from the protected computer to the online conversation.
Missteps Leading to the Breach
The audit shows that competing priorities of business and security functionaries resulted in a system that became more vulnerable to attacks. For instance, the Office of the Chief Information Officer told the IG that various system owners the office supported prohibited the office from making security updates to applications in a timely manner "because doing so would make it harder for employees to do their work."
"Conversely, program officials indicated that they directed security-related issues to the OCIO and never received responses," says Friedman, the inspector general. He notes that system anomalies discovered by an application developer and reported to the CIO prior to the breach were not fully investigated prior to being correct.
Competing priorities of mission-related work and cybersecurity resulted in continued operation of systems even though they were known to have high-risk vulnerabilities, the IG says. Officials told auditors that they lacked the authority to impose restrictions on system operation or take other corrective measures when known security vulnerabilities were not addressed. "We could not determine with certainty whether the lack of authority, in all instances, was real or only perceived," Friedman says.
Similar problems surface at other organizations experiencing a breach. "Competing priorities, lack of understanding the complexity or magnitude of security issue or thinking 'it won't happen to us' all contribute," says Brian Dean, manager of audit and compliance at SecureState, a management consultancy focused on information security.
The audit also suggests senior officials wouldn't step up and take responsibility for the system. "Officials from the Office of the Chief Financial Officer told us that they believed that the OCIO was responsible for patching vulnerabilities in the breached system," the IG says. "However, OCIO officials told us just the opposite, that the OCFO was responsible for that task."
Additional Snags Identified
Other problems the IG discovered:
- The frequent use of complete Social Security numbers as identifiers, a practice contrary to federal guidance;
- Failure to encrypt personally identifiable information;
- Permitting direct Internet access to a highly sensitive system without adequate security controls;
- Lack of assurance that required security planning and testing activities were conducted;
- Allowing systems to operate even though they were known to have critical and/or high-risk security vulnerabilities; and
- Failure to assign the appropriate level of urgency to replacing end-of-life systems.
A Numbers Game
Though DoE officials put the number of individual records exposed at about 104,000, results of the IG's forensics examinations revealed as many as 150,000 unique 9-digit records, possibly Social Security numbers, were exposed. DoE's chief information officer and acting chief financial officer told the IG that the higher number could be a result of thousands of false positives.
Still, the type of data exposed goes beyond the names, dates of birth and Social Security numbers initially reported by the department. The IG says a forensic analysis revealed that other unprotected information included some bank account numbers, places of birth, education details, security questions and answers, and descriptions of disabilities.
The breach, as well as earlier ones (see Energy Department HQ Computers Hacked), have taken a toll on DoE employee morale. "Reputational issues associated with the breach also have an adverse impact upon the department," Friedman says. "According to officials we spoke with, various employees received notification that their PII had been compromised in both this and an earlier unrelated breach and noted that employee complaints demonstrated a loss of confidence in departmental cybersecurity."
Among the IG's recommendations, all of which were accepted by the department, are: Implement an effective continuous monitoring program; remove unnecessary or outdated information, including Social Security numbers; clarify authorities between the CIO and CFO; and develop an effective risk management approach that identifies weaknesses and cost of mitigation to allow senior managers to apply fewer resources in case of similar breaches.