Was the EPA data breach a failure of cybersecurity 101?

More details are emerging from the Environmental Protection Agency’s security breach that affected nearly 8,000 users -- including the conclusion that it was caused by a virus in an e-mail attachment, possibly on a contractor’s computer.

The compromised servers contained data related to the Superfund program, the hazardous-waste cleanup effort mandated in 1980. The program is almost entirely managed by contractors, according to the Washington Business Journal, which originally reported the EPA breach on Aug. 4.

The breach occurred in March.

The data, including Social Security numbers, bank account information and home addresses, was exposed after an e-mail attachment with a virus was opened on a computer with access privileges to the breached servers, according to reports. 

The EPA did not confirm that the computer belonged to a contractor, but reportedly did say that the agency heavily relies on contractors to provide IT services.

“Vigilantly keeping data secure from increasingly sophisticated cyber threats is a top priority at EPA and throughout the public and private sectors. The agency has already added new safeguards in response to this incident,” reads an EPA statement.

The breach leaves questions about the cybersecurity measures in place at the agency -- and agencies throughout government. Technology and policy are both critical to the success of a security effort, along with education and training, experts say. 

“We cannot just have policy-based approaches to cybersecurity – it has to be technology-based too,” said Tony Busseri, CEO of Route1, an IT security firm. “If we rely upon the human condition – i.e., we expect someone to adhere to a policy – and that’s the only protection we have, we’re going to have failure. By nature people are prone to making errors.”

According to Busseri, if a contractor was remotely accessing the servers – which the EPA has not confirmed – they may have been exposed to malware and/or viruses on the contractor’s computer.

That concern isn’t limited to the EPA, or to this specific incident – it’s something that must be considered as the federal government increasingly looks to telework and bring-your-own-device policies, Busseri said.

“We’ve forgotten in today’s world some of the simple rules of dealing with data. As soon as we allow data to go beyond the network perimeter, all the firewalls and monitoring tools are rendered useless. It comes down to cybersecurity 101,” he said. “We should be using technology that is principled around minimizing vulnerabilities and risk. Then you educate the user on using that technology.”

About the Author

Amber Corrin is a former staff writer for FCW and Defense Systems.

2014 Rising Star Awards

Help us find the next generation of leaders in federal IT.

Reader comments

Tue, Aug 7, 2012

The story failed to mention that affected EPA personnel were not notified until several days ago. EPA personnel are always kept in the dark about IT security breaches.

Mon, Aug 6, 2012 Robert MD

Security 101 to filter all attachments using an automated malware analysis solution would have prevented this. Pick your vendor, I won't, but solutions do exist that would have stopped this. Blaming the contractor is a cheap shot. APT's are clicked on by gov and contractors equally so get off your high horses. Solve the problem with solutions and avoid pointing fingers at one another. We all fight under the same flag!!!

Mon, Aug 6, 2012

Don't blame contractors. The govt wants to reduce its size and costs and can only do that by hiring contractors. Naturally, they do not want to pay the money it takes to keep skilled experienced IT personnel in-house. It is not if, it is when it happen again. Exposing the system outside of the firewall will make it sure bet.

Mon, Aug 6, 2012

If they put 1/10 the effort into security as the effort they use at the superfund site on the MMR giving the military a hard time above and beyond regulations and federal law, there would be no security breaches in their system!!!

Mon, Aug 6, 2012 RayW

Possibly, almost entirely, reportedly, if, may – what ever happened to factual reporting? Granted there were many quotes, but still...


Malicious attachment - That happened here several years ago. There were many folks who got a copy of that email (with differing from addresses) and some clicked on the attachment. One person clicked on it because it was from her boss and looked like a file he had promised her. All the spyware, trojans, and 'protections' that are loaded on our computers did not catch it, then. Since then we strip executables, no if, ands, or buts.

Without more information than this blog, most of the posts I have seen so far are pure speculation and "US vs THEM" posts.

Show All Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above