Data breach exposes Energy Department's 'continuing story of negligence'

U.S. Department of Energy claims no classified info was stolen by hackers, just personal data belonging to employees

The U.S. Department of Energy has admitted that unidentified malicious hackers successfully breached 14 of its servers and 20 of its workstations two weeks ago, making off with personal information belonging to several hundred employees. The department's assurances that "no classified data was compromised" come as little comfort, however, considering the department's spotty security history.

"It's a continuing story of negligence," Ed McCallum, former director of the department's office of safeguards and security, told the Free Beacon. "[The department] is on the cutting edge of some of the most sophisticated military and intelligence technology the country owns and it is being treated frivolously by the Department of Energy and its political masters."

Late last year, an audit of the Department of Energy revealed that 58 percent of the department's computers were running OSes or applications that hadn't been patched against known vulnerabilities. Similarly, at least 157 of the department's network systems were in need of patching, and 41 servers were running OSes no longer supported by vendors.

Examiners identified server vulnerabilities "that could have resulted in a compromise of business information or unauthorized access to critical application functionality and data, as well as loss or disruptions of critical operations," the audit said.

In a letter to employees and contractors sent out last Friday, the Department of Energy said it would notify individuals whose sensitive information had been stolen to help protect them from identity theft. The letter also said the department was "leading an aggressive effort to reduce the likelihood of these events occurring again."

The letter noted "cybersecurity is a shared responsibility" and asked employees to adhere to a couple of "best practices": encrypting all files and emails containing PII (personally identifiable information) or sensitive information, and to avoid storing or emailing non-government-related PII on DOE network computers.

Authorities may wish department employees are well-versed in identifying phishing attacks as well. Malicious hackers have been known to use stolen personal data to dupe users into giving up their passwords or opening a malware-infected document. From there, it's a matter of time before a persistent and sufficiently skilled hacker can wreak havoc, whether overtly by defacing Web pages and deleting data or covertly snooping and stealing data via an APT (advanced persistent threat). The prospect of the DOE being hit with an APT is particularly troubling, considering it oversees the National Nuclear Security Administration, which manages the U.S. nuclear weapons stockpile.

Here's hoping the DOE -- along with other governmental agencies, financial institutions, and utilities -- wake up quickly to the fact that the United States is engaged in an unseen, all-out cyber war.

This article, "Data breach exposes Energy Department's 'continuing story of negligence'," was originally published at Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog. For the latest business technology news, follow on Twitter.