The personal information of more than 104,000 Energy Department employees, contractors and families was compromised in a July cyber attack, according to a report released Dec. 11.
The inspector general said in the report the agency ignored a number of early warning signs and had not taken actions needed to protect the information of current and past employees.
Officials initially estimated that the attack had affected 14,000 people, but that number grew to 53,000 and then nearly doubled as the investigation continued.
The agency allowed employees direct internet access to highly sensitive systems without adequate security controls and frequently used complete social security numbers as employee identifiers, according to the report.
The IG found no single point of failure, but, the combination of the technical and managerial problems we observed set the stage for individuals with malicious intent to access the system with what appeared to be relative ease.
Among the information accessed included social security numbers, birth dates, bank account numbers, security questions and answers and full names, according to the report.