DOE victim of mid-January data breach, though no classified data stolen


Hackers last month breached the Energy Department's headquarters network, capturing personal data for hundreds of DOE employees and contractors but not top secret energy or nuclear information, according to an article in InformationWeek.

The article quotes Alan Paller, director of research for the SANS Institute, a security company, who said DOE was the target of a "long-term, intensive campaign" whose goal was to compromise networks at DOE headquarters and national laboratories. DOE's Joint Cybersecurity Coordination Center is conducting an investigation of the incident, in which no classified data was compromised.

"We believe several hundred DOE employees' and contractors' [personally identifiable information] may have been affected," states a Feb. 1 memo circulated to agency employees and obtained by InformationWeek. "As individual affected employees are identified, they will be notified and offered assistance on steps they can take to protect themselves from potential identity theft."

The article notes that the DOE memo urges all employees "to help minimize impacts and reduce any potential risks" by encrypting all files and emails that contain personally identifiable information, "including files stored on hard drives or on the shared network." Based on that, the article surmises that the agency has not implemented full-disk encryption tools for all its employees and contractors.

"DOE is as good or better than any civilian agency on encryption and sadly they are not very far along at all," said Paller.

In the hands of hackers, personal information could be used to design better social engineering attacks, and in particular spear-phishing attacks in which personalized emails trick users into opening malicious attachments, according to the article.

For more:
- read the InformationWeek article

Related Articles:
IG: DOE lacks integrated enterprisewide cybersecurity strategy
Cybersecurity weaknesses persist in Energy unclassified systems
DOE offers guidance for cybersecurity maturity, risk assessment