Energy acknowledges data theft

As Energy Department officials acknowledged that cyber thieves stole personal information from about 1,500 people, analysts are offering solutions to better safeguard private information.

Energy officials told a House panel late last week that the data breach, which happened about eight months ago, involved the personal information of employees and contractor personnel. The data included their Social Security numbers, which could allow identity thieves to take out loans or get credit cards using the victims' information.

News of the theft was the second major revelation in recent weeks. In May, Department of Veterans Affairs officials said an employee took home a laptop computer and external hard drive containing the personal information of about 26.5 million veterans. The hardware was then stolen from the employees' home.

The two breaches are different in character, one involving the theft of hardware and the other a cyberattack that defeated network security. But Bruce Brody, vice president of information security at Input, said agencies generally maintain lax and unfocused security policies that make information vulnerable.

The DOE theft was aimed at the National Nuclear Security Agency, a semi-autonomous agency within the department, and the officials who discovered the breach did not inform Energy’s secretary or the affected individuals until months later, according to testimony in the recent House hearing. Brody said it is certain that more such thefts have already happened and have not yet come to light.

"I’m not big a fan of [the Federal Information Security Management Act] because I don’t believe it measures the right things, but even at that the whole government is a D+," he said, referring to FISMA's letter-grade reports on agencies. "That tells you the right things are not in place. The federal government simply does not have the controls in place to prevent this from happening.”

The main problem Brody sees is the lack of centralization of security practices in agencies. Large organizations with responsibilities distributed among various locations simply can't manage data the way they need to, he said.

Under most agencies’ structures, “no one has the necessary authority and the necessary clout to hold people accountable,” he said.

Ted Julian, vice president of marketing at security firm Application Security Inc., said security policies are often aimed at the threats of yesterday.

“It used to be that the standard attack was to deface a Web site," he said. "No more. I can’t remember when I last saw one of those. The hackers have either gone professional or grown up or both.”

Featured

  • Telecommunications
    Stock photo ID: 658810513 By asharkyu

    GSA extends EIS deadline to 2023

    Agencies are getting up to three more years on existing telecom contracts before having to shift to the $50 billion Enterprise Infrastructure Solutions vehicle.

  • Workforce
    Shutterstock image ID: 569172169 By Zenzen

    OMB looks to retrain feds to fill cyber needs

    The federal government is taking steps to fill high-demand, skills-gap positions in tech by retraining employees already working within agencies without a cyber or IT background.

  • Acquisition
    GSA Headquarters (Photo by Rena Schild/Shutterstock)

    GSA to consolidate multiple award schedules

    The General Services Administration plans to consolidate dozens of its buying schedules across product areas including IT and services to reduce duplication.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.