Hackers stole personally identifiable information this summer on more than 104,000 Energy Department employees, family members and contractors, the agency’s inspector general concluded in a new report that faults DOE officials for failing to take basic cybersecurity precautions.
Although the IG did not uncover a single “point of failure” for the July breach, a combination of technical and managerial problems “set the stage for individuals with malicious intent to access the system with what appeared to be relative ease,” the IG said in the report. The investigation also found that the extent of personal information stolen was much more extensive than the department initially reported. Beside names, dates of birth and Social Security numbers, the data also included bank account numbers and places of birth, along with education and disability information, the report said.
DOE managers told the inspector general that they are notifying everyone affected. The cost of credit monitoring and creating a call center to provide more information will be about $1.6 million, according to the agency’s chief information officer. The incident, which comes on top of an earlier, unrelated breach, has also eroded employee trust in the department’s ability to protect its computer systems, the IG concluded. Among the failings by DOE officials noted in the report:
■ The use of complete Social Security numbers as identifiers, contrary to federal guidance.
■ Allowing direct Internet access to sensitive systems without adequate security controls.
■ Failing to fix high-risk computer system vulnerabilities.
The report did not say whether anyone has been disciplined or held accountable, but warned that the department remains at risk from similar hacking attacks. Energy Department administrators agreed with the IG’s recommendations for improvement, the report said.