[ISN] Another federal breach exposes employee records

InfoSec News isn at c4i.org
Mon Jun 12 04:22:44 EDT 2006


By Heather Greenfield
National Journal's Technology Daily
June 9, 2006 

The Energy Department disclosed to Congress on Friday that it suffered
a security breach from a hacker in September that compromised 1,500
personnel records.

The news broke just as a House Energy and Commerce Oversight and
Investigations Subcommittee was supposed to start a hearing on how
secure Energy Department computers are in light of recently reported
data breaches at the Internal Revenue Service and Veterans Affairs

Kentucky Republican Ed Whitfield, chairman of the Subcommittee, said
there is no excuse for the department to have its current "F" in
cyber-security compliance -- or for waiting eight months to tell the
Energy secretary or his committee about the security breach.

"It's unbelievable [that] 1,500 personnel files can be compromised
with Social Security numbers," Whitfield said. "The impact that can
have on individuals is quite disturbing."

Full Energy and Commerce Committee Chairman Joe Barton, R-Texas,
visited the hearing room to express his outrage at the data breach and
later called Energy Secretary Samuel Bodman. "If the administration
won't do something about this incident, this committee will," he said.

While most of the details of the hacking incident were discussed later
in executive session, a government agency that tests the department by
breaking into its computer system said the attack was at the National
Nuclear Security Administration.

NNSA Administrator Linton Brooks said he learned of the
"sophisticated" hacking incident in September. He said he did not know
whose job it was to tell Bodman, but he wished he had.

"Mr. Brooks, I'm going to recommend you be removed from office, and I
think you would do the country a service if you resigned," Barton
said. Brooks said that because the breach was labeled a
counterintelligence issue, the two sides of the organization each
assumed the other had notified the secretary. Barton called that
explanation "hogwash."

Energy Chief Information Officer Thomas Pyke said he was aware of
various hacking incidents but only learned of the personnel data
involved two days ago.

Pyke said the department faces hundreds of thousands of attacks each
day. In the event where the records were exposed, he said the attack
penetrated both a firewall and a detection system.

Glenn Podonsky, director of the office of security and safety
performance assessment, told lawmakers that in November, his team
successfully accessed Energy's unclassified computer system. He said
they gained access to financial and personal data, and could have
impersonated or monitored department executives.

"We basically had domain control," Podonsky said. He said with
security improvements made since then that the office could break in
but not gain domain control.

He said his office believes Energy is moving too slowly in making
security improvements and noted that part of the problem is because of
work done by outside contractors.

Whitfield also wanted to know why the Energy Department has failed to
report 50 percent of attacks to its computer systems. Podonsky said he
agreed they should be reported to help law enforcers track them.

©2006 by National Journal Group Inc. All rights reserved.

More information about the ISN mailing list