Was the EPA data breach a failure of cybersecurity 101?

More details are emerging from the Environmental Protection Agency’s security breach that affected nearly 8,000 users -- including the conclusion that it was caused by a virus in an e-mail attachment, possibly on a contractor’s computer.

The compromised servers contained data related to the Superfund program, the hazardous-waste cleanup effort mandated in 1980. The program is almost entirely managed by contractors, according to the Washington Business Journal, which originally reported the EPA breach on Aug. 4.

The breach occurred in March.

The data, including Social Security numbers, bank account information and home addresses, was exposed after an e-mail attachment with a virus was opened on a computer with access privileges to the breached servers, according to reports. 

The EPA did not confirm that the computer belonged to a contractor, but reportedly did say that the agency heavily relies on contractors to provide IT services.

“Vigilantly keeping data secure from increasingly sophisticated cyber threats is a top priority at EPA and throughout the public and private sectors. The agency has already added new safeguards in response to this incident,” reads an EPA statement.

The breach leaves questions about the cybersecurity measures in place at the agency -- and agencies throughout government. Technology and policy are both critical to the success of a security effort, along with education and training, experts say. 

“We cannot just have policy-based approaches to cybersecurity – it has to be technology-based too,” said Tony Busseri, CEO of Route1, an IT security firm. “If we rely upon the human condition – i.e., we expect someone to adhere to a policy – and that’s the only protection we have, we’re going to have failure. By nature people are prone to making errors.”

According to Busseri, if a contractor was remotely accessing the servers – which the EPA has not confirmed – they may have been exposed to malware and/or viruses on the contractor’s computer.

That concern isn’t limited to the EPA, or to this specific incident – it’s something that must be considered as the federal government increasingly looks to telework and bring-your-own-device policies, Busseri said.

“We’ve forgotten in today’s world some of the simple rules of dealing with data. As soon as we allow data to go beyond the network perimeter, all the firewalls and monitoring tools are rendered useless. It comes down to cybersecurity 101,” he said. “We should be using technology that is principled around minimizing vulnerabilities and risk. Then you educate the user on using that technology.”

About the Author

Amber Corrin is a former staff writer for FCW and Defense Systems.

FCW in Print

In the latest issue: Looking back on three decades of big stories in federal IT.


  • Anne Rung -- Commerce Department Photo

    Exit interview with Anne Rung

    The government's departing top acquisition official said she leaves behind a solid foundation on which to build more effective and efficient federal IT.

  • Charles Phalen

    Administration appoints first head of NBIB

    The National Background Investigations Bureau announced the appointment of its first director as the agency prepares to take over processing government background checks.

  • Sen. James Lankford (R-Okla.)

    Senator: Rigid hiring process pushes millennials from federal work

    Sen. James Lankford (R-Okla.) said agencies are missing out on younger workers because of the government's rigidity, particularly its protracted hiring process.

  • FCW @ 30 GPS

    FCW @ 30

    Since 1987, FCW has covered it all -- the major contracts, the disruptive technologies, the picayune scandals and the many, many people who make federal IT function. Here's a look back at six of the most significant stories.

  • Shutterstock image.

    A 'minibus' appropriations package could be in the cards

    A short-term funding bill is expected by Sept. 30 to keep the federal government operating through early December, but after that the options get more complicated.

  • Defense Secretary Ash Carter speaks at the TechCrunch Disrupt conference in San Francisco

    DOD launches new tech hub in Austin

    The DOD is opening a new Defense Innovation Unit Experimental office in Austin, Texas, while Congress debates legislation that could defund DIUx.

Reader comments

Tue, Aug 7, 2012

The story failed to mention that affected EPA personnel were not notified until several days ago. EPA personnel are always kept in the dark about IT security breaches.

Mon, Aug 6, 2012 Robert MD

Security 101 to filter all attachments using an automated malware analysis solution would have prevented this. Pick your vendor, I won't, but solutions do exist that would have stopped this. Blaming the contractor is a cheap shot. APT's are clicked on by gov and contractors equally so get off your high horses. Solve the problem with solutions and avoid pointing fingers at one another. We all fight under the same flag!!!

Mon, Aug 6, 2012

Don't blame contractors. The govt wants to reduce its size and costs and can only do that by hiring contractors. Naturally, they do not want to pay the money it takes to keep skilled experienced IT personnel in-house. It is not if, it is when it happen again. Exposing the system outside of the firewall will make it sure bet.

Mon, Aug 6, 2012

If they put 1/10 the effort into security as the effort they use at the superfund site on the MMR giving the military a hard time above and beyond regulations and federal law, there would be no security breaches in their system!!!

Mon, Aug 6, 2012 RayW

Possibly, almost entirely, reportedly, if, may – what ever happened to factual reporting? Granted there were many quotes, but still...

Malicious attachment - That happened here several years ago. There were many folks who got a copy of that email (with differing from addresses) and some clicked on the attachment. One person clicked on it because it was from her boss and looked like a file he had promised her. All the spyware, trojans, and 'protections' that are loaded on our computers did not catch it, then. Since then we strip executables, no if, ands, or buts.

Without more information than this blog, most of the posts I have seen so far are pure speculation and "US vs THEM" posts.

Show All Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group