DXPG

Total Pageviews

Monday, February 4, 2013

Energy Department Is the Latest Victim of an Online Attack

The Energy Department was hit by an online attack last month that compromised the personal data of several hundred employees.

In an e-mail sent to employees Friday evening, the agency confirmed that hackers penetrated computers and servers at the agency’s Washington headquarters and stole the personal information of hundreds of employees and contractors. The agency said it was working with federal authorities to investigate the attack. It said that, based on its findings, “no classified data was compromised.”

The attack on the Energy Department is the latest in a string of major attacks to surface in the last week. Last week, after The New York Times reported that Chinese hackers had attacked its computers and stolen employee passwords, The Wall Street Journal said it had also been attacked. The Washington Post was also attacked by Chinese hackers last year, according to people with knowledge of The Post’s investigation. And on Friday, Twitter announced that a group of sophisticated hackers had penetrated its systems, possibly stealing the personal information of 250,000 users.

“We’re seeing a widespread colonization of significant U.S. infrastructure,” said Tom Kellermann, a vice president for cybersecurity at TrendMicro, a Tokyo-based security company. “The level of organization and premeditation behind these attacks is really unprecedented.”

William Gibbons, an Energy Department spokesman, did not say whether the agency had determined who was behind the attack.

A person close to the investigation said the attack was unrelated to a separate incident last January when Anonymous, the loose hacking collective, dump! ed what appeared to be sensitive information from the Energy Department on Pastebin, a Web site frequently used by hackers. In that case, the data turned out to be more than two years old.

A former Energy Department security employee told The Washington Free Beacon Monday morning that the agency made for an easy target.

“It’s a continuing story of negligence,” Ed McCallum, a former Energy Department security official, told the Free Beacon. Mr. McCallum said that the agency continued to have security issues despite the fact that it manages the most “sophisticated military and intelligence technology the country owns.”

Here is the e-mail that the Energy Department sent to its employees:

The Department of Energy (DOE) has just confirmed a recent cyber incident that occurred in mid-January which targeted the Headquarters’ network and resulted in the unauthorized disclosure of emplyee and contractor Personally Identifiable
Information (PII).

The Department is strongly committed to protecting the integrity of each employee’s PII and takes any cyber incident very seriously. The Department’s Cybersecurity Team, the Office of Health, Safety and Security and the Inspector General’s office are working with federal law enforcement to promptly gather detailed information on the nature and scope of the incident and assess the potential impacts to DOE staff and contractors. Based on the findings of this investigation, no classified data was compromised.

We believe several hundred DOE employees’ and contractors’ PII may have been affected. As individual affected employees are identified, they will be notified and offered assistance on steps they can take to protect themselves from potential identity theft.

Once the full nature and extent of this incident is known, the Department will implement a full remediation plan. As more specific information is gather! ed regard! ing affected employees and contractors, the Department will make further notifications.

The Department is also leading an aggressive effort to reduce the likelihood of these events occurring again. These efforts include leveraging the combined expertise and capabilities of the Department’s Joint Cybersecurity Coordination Center to address this incident, increasing monitoring across all of the Department’s networks and deploying specialized defense tools to protect sensitive assets.

Cybersecurity is a shared responsibility, and we all play an important role in maintaining the integrity and security of our networks. To help minimize impacts and reduce any potential risks, please keep the following best practices in mind:

* Encrypt all files and emails containing PII or sensitive information, including files stored on hard drives or on the shared network.
* Do not store or email non-government related PII on DOE network computers