The Office of the Inspector General has published a detailed report

Dec 17, 2013 08:26 GMT  ·  By
Office of Inspector General publishes report on the US Department of Energy breach
   Office of Inspector General publishes report on the US Department of Energy breach

Over the past years, the US Department of Energy has suffered at least three cyber security breaches, the most recent one being reported in July 2013. The department’s inspector general has published a special report that analyzes this incident.

Cybercriminals have managed to gain access to the personal information of over 104,000 individuals by exploiting software vulnerabilities.

“While we did not identify a single point of failure that led to the MIS/DOEInfo breach, the combination of the technical and managerial problems we observed set the stage for individuals with malicious intent to access the system with what appeared to be relative ease,” the report notes.

“The attackers in this case were able to use exploits commonly available on the internet to gain unfettered access to the relevant systems and exfiltrate large amounts of data – information that could be used to damage the financial and personal interests of many individuals.”

The list of technical and management issues identified by the Office of the Inspector General includes the fact that personally identifiable information was not encrypted, and that the organization permitted direct Internet access to highly sensitive systems without adequate security controls being put in place.

Another problem is the lack of software patches. The inspector general has found that the organization failed to fix vulnerable components either via patching, upgrades or system enhancements.

The department has also failed to replace outdated systems. For instance, support for the application targeted by the attackers ended in July 2012. However, the Department of Energy updated the software only eight months later.

As a result of the breach, the Department of Energy has lost a total of $3.7 million (€2.7 million).

Part of this amount has been used for credit monitoring services and to set up a call center through which impacted individuals could obtain additional information regarding the breach.  However, most of it represents lost productivity.