Was the EPA data breach a failure of cybersecurity 101?

More details are emerging from the Environmental Protection Agency’s security breach that affected nearly 8,000 users -- including the conclusion that it was caused by a virus in an e-mail attachment, possibly on a contractor’s computer.

The compromised servers contained data related to the Superfund program, the hazardous-waste cleanup effort mandated in 1980. The program is almost entirely managed by contractors, according to the Washington Business Journal, which originally reported the EPA breach on Aug. 4.

The breach occurred in March.

The data, including Social Security numbers, bank account information and home addresses, was exposed after an e-mail attachment with a virus was opened on a computer with access privileges to the breached servers, according to reports. 

The EPA did not confirm that the computer belonged to a contractor, but reportedly did say that the agency heavily relies on contractors to provide IT services.

“Vigilantly keeping data secure from increasingly sophisticated cyber threats is a top priority at EPA and throughout the public and private sectors. The agency has already added new safeguards in response to this incident,” reads an EPA statement.

The breach leaves questions about the cybersecurity measures in place at the agency -- and agencies throughout government. Technology and policy are both critical to the success of a security effort, along with education and training, experts say. 

“We cannot just have policy-based approaches to cybersecurity – it has to be technology-based too,” said Tony Busseri, CEO of Route1, an IT security firm. “If we rely upon the human condition – i.e., we expect someone to adhere to a policy – and that’s the only protection we have, we’re going to have failure. By nature people are prone to making errors.”

According to Busseri, if a contractor was remotely accessing the servers – which the EPA has not confirmed – they may have been exposed to malware and/or viruses on the contractor’s computer.

That concern isn’t limited to the EPA, or to this specific incident – it’s something that must be considered as the federal government increasingly looks to telework and bring-your-own-device policies, Busseri said.

“We’ve forgotten in today’s world some of the simple rules of dealing with data. As soon as we allow data to go beyond the network perimeter, all the firewalls and monitoring tools are rendered useless. It comes down to cybersecurity 101,” he said. “We should be using technology that is principled around minimizing vulnerabilities and risk. Then you educate the user on using that technology.”

About the Author

Amber Corrin is a former staff writer for FCW and Defense Systems.

Featured

  • IT Modernization
    Eisenhower Executive Office Building (Image: Wikimedia Commons)

    OMB's user guide to the MGT Act

    The Office of Management and Budget is working on a rules-of-the-road document to cover how agencies can seek and use funds under the MGT Act.

  • global network (Pushish Images/Shutterstock.com)

    As others see us -- a few surprises

    A recent dinner with civil servants from Asia delivered some interesting insights, Steve Kelman writes.

  • FCW Perspectives
    cloud (Singkham/Shutterstock.com)

    A smarter approach to cloud

    Advances in cloud technology are shifting the focus toward choosing the right tool for the job and crafting solutions that truly modernize systems.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.