In a recent published report on the DoE’s security breaches, Inspector General Gregory Friedman cited huge flaws in the departments network. In July of 2013 the DoE was again hacked, having been already hacked multiple times since 2011, this time more than 100,000 individuals had their information taken. Important information including: social security numbers, bank account data, dates and places of birth, user names and security question answers.
According to the review, the Inspector General cited failures by the DoE which allowed hackers to infiltrate their networks. Once in the hackers were easily able dump important data from the databases. The most glaring hole, was that the databases themselves, containing all of this private information, were not encrypted – a method that has been considered best practice for some time now by security experts.
Even more appalling than having sensitive data stored in the clear was the fact that members of the department’s Office of the Chief Information Officer did not apply critical security patches, even going years without installing updates!
Taken from the report’s highlights: “Permitting direct internet access to a highly sensitive system without adequate security controls. Interestingly, routine internet access to e-mail required greater security than did access to the vast amounts of PII contained in DOEInfo. ”
This sort of news is both shocking and at the same time, something you just look at and think “Somehow I am not surprised”, which is a sad state of mind to have when thinking about security at this level of government. Just like so many other data breaches in recent months, simple security was not followed and the users end up paying for it.
If we take a step back and look at Adobe’s password breach we can see that, while the passwords were encrypted the security questions were left in plain text, allowing people to easily decipher the passwords. Especially when your security question is “The password is password”. However, at least Adobe thought enough to encrypt part of their data whereas the Department of Energy seems to have fallen asleep during that lecture.
If a lesson is to be learned, it is that while the bare minimum may not be enough…doing nothing is worse. The word security means: the state of being free from danger or threat – not an achievable goal if you fall short on the basics.