08-30-2013 02:57 PM
According to an email sent to all DOE employees on Aug. 29, information on 2,532 current employees, 3,172 former employees and seven employees on leave was stolen in the breach, which occurred in July. "The sensitive PII data compromised was limited to names, dates of birth and social security numbers," the internal memo stated. The stored information did not include banking, credit card or clearance information, according to the memo, which said that no information related to agency contractors had been compromised.
Originally, the agency stated the breach affected 14,000 employees. Affected employees may be out of luck if their identities have been stolen. The DOE has offered no related advice or services to its employees beyond pointing them to an FTC pamphlet called "Taking Charge: What To Do If Your Identity Is Stolen."
While the employees themselves certainly have something to worry about, so does the DOE. They use what sounds like a single-sign-on system that has logins consisting of - you guessed it - names and social security numbers.
According to DOE sources, the problem of insecure systems that contain PII is widely known at the agency but difficult to change since more than 1,000 systems tap DOEInfo, which maintains a single user ID for each employee, tied to employee access permissions. "Our logins still use our initials and parts of our SSN (duh), who would think that was good enough in the first place?" one source said in an email message." Complaining doesn't help. The answer is always, it costs too much to redo our PII."
That doesn't mean those are the only components of the logins, but if there is any convention to the login creation system, it wouldn't be too difficult to figure out what a lot of the logins are. Obtaining a possibly-commonly-used password for a DOE employee could potentially be as simple as using the social security number to obtain the password from a personal account and trying it on the DOE systems.
The attack itself exploited an out-of-date ColdFusion-based application. It serves as a good reminder for the need to update your apps.
As we've mentioned before, it really wouldn't hurt for the DOE to layer on the Webroot Intelligence Network.