U.S. Dept. of Energy reports second security breach

In a letter sent to employees on Wednesday, the U.S. Department of Energy (DOE) disclosed a security incident, which resulted in the loss of personally identifying information (PII) to unauthorized individuals. This is the second time this year such a breach has occurred. The letter, obtained by the Wall Street Journal, doesn't identify the root cause of the incident, or provide much detail, other than the fact that no classified data was lost.

"The Department of Energy has confirmed a recent cyber incident that occurred at the end of July and resulted in the unauthorized disclosure of federal employee Personally Identifiable Information (PII)...We believe about 14,000 past and current DOE employees PII may have been affected," the letter states in part.

Back in February, the DOE disclosed a similar incident where PII was lost. In addition, that incident also included the compromise of 14 servers and 20 workstations. At the time, officials blamed Chinese hackers, but two weeks earlier a group calling itself Parastoo (a common girls name in Farsi) claimed they were behind the breach, posting data allegedly taken from a DOE webserver (including a copy of /etc/passwd and Apache config files) as proof.

In this most recent case, the motive behind the attack may be something simple, such as data harvesting, since PII is rather valuable to criminals. Or it may be something else entirely.

"In some cases, attackers target information about employees because they can use that information to impersonate those employees in spear phishing attacks or compromise their access credentials," Tom Cross, director of security research at Lancope, told CSO in an email.

"Sometimes, the attackers log right in using employees access credentials and then proceed to access information on the network without using any custom malware. A defensive strategy that focuses exclusively on detecting exploits and malware cannot detect this sort of unauthorized activity."

In related news, defense contractor Northrop Grumman disclosed a similar data breach, involving the loss of PII related to employees who applied to the Balkans Linguist Support Program.

According to the notification letter, Northrop says the breach, which occurred between late November 2012 and May 2013, targeted a database housing applicant and participant data for the program. The data that was exposed includes names, date of births, blood types, Social Security Numbers, other government-issued identification numbers, and contact information.

Read more about data protection in CSOonline's Data Protection section.

Tags: U.S. Department of Energy, DOE breach, applications, security, data breach, wall street journal, software, security breach, data protection, U.S. Department of Energy breach

Report: Attackers have their sights set on the cloud

READ THIS ARTICLE
DO NOT SHOW THIS BOX AGAIN [ x ]
Comments are now closed.
CSO Corporate Partners
  • Webroot
  • Trend Micro
  • NetIQ
rhs_login_lockGet exclusive access to CSO, invitation only events, reports & analysis.
CSO Directory

Authentication

RSA offers a wide range of strong two-factor authentication solutions to help organizations assure user identities and meet compliance requirements.

Latest Jobs
Security Awareness Tip

Incident handling is a vast topic, but here are a few tips for you to consider in your incident response. I hope you never have to use them, but the odds are at some point you will and I hope being ready saves you pain (or your job!).


  1. Have an incident response plan.

  2. Pre-define your incident response team 

  3. Define your approach: watch and learn or contain and recover.

  4. Pre-distribute call cards.

  5. Forensic and incident response data capture.

  6. Get your users on-side.

  7. Know how to report crimes and engage law enforcement. 

  8. Practice makes perfect.

For the full breakdown on this article

Security ABC Guides

Warning: Tips for secure mobile holiday shopping

I’m dating myself, but I remember when holiday shopping involved pouring through ads in the Sunday paper, placing actual phone calls from tethered land lines to research product stock and availability, and actually driving places to pick things up. Now, holiday shoppers can do all of that from a smartphone or tablet in a few seconds, but there are some security pitfalls to be aware of.