Was the EPA data breach a failure of cybersecurity 101?

More details are emerging from the Environmental Protection Agency’s security breach that affected nearly 8,000 users -- including the conclusion that it was caused by a virus in an e-mail attachment, possibly on a contractor’s computer.

The compromised servers contained data related to the Superfund program, the hazardous-waste cleanup effort mandated in 1980. The program is almost entirely managed by contractors, according to the Washington Business Journal, which originally reported the EPA breach on Aug. 4.

The breach occurred in March.

The data, including Social Security numbers, bank account information and home addresses, was exposed after an e-mail attachment with a virus was opened on a computer with access privileges to the breached servers, according to reports. 

The EPA did not confirm that the computer belonged to a contractor, but reportedly did say that the agency heavily relies on contractors to provide IT services.

“Vigilantly keeping data secure from increasingly sophisticated cyber threats is a top priority at EPA and throughout the public and private sectors. The agency has already added new safeguards in response to this incident,” reads an EPA statement.

The breach leaves questions about the cybersecurity measures in place at the agency -- and agencies throughout government. Technology and policy are both critical to the success of a security effort, along with education and training, experts say. 

“We cannot just have policy-based approaches to cybersecurity – it has to be technology-based too,” said Tony Busseri, CEO of Route1, an IT security firm. “If we rely upon the human condition – i.e., we expect someone to adhere to a policy – and that’s the only protection we have, we’re going to have failure. By nature people are prone to making errors.”

According to Busseri, if a contractor was remotely accessing the servers – which the EPA has not confirmed – they may have been exposed to malware and/or viruses on the contractor’s computer.

That concern isn’t limited to the EPA, or to this specific incident – it’s something that must be considered as the federal government increasingly looks to telework and bring-your-own-device policies, Busseri said.

“We’ve forgotten in today’s world some of the simple rules of dealing with data. As soon as we allow data to go beyond the network perimeter, all the firewalls and monitoring tools are rendered useless. It comes down to cybersecurity 101,” he said. “We should be using technology that is principled around minimizing vulnerabilities and risk. Then you educate the user on using that technology.”

About the Author

Amber Corrin is a former staff writer for FCW and Defense Systems.

Featured

  • Cybersecurity

    DHS floats 'collective defense' model for cybersecurity

    Homeland Security Secretary Kirstjen Nielsen wants her department to have a more direct role in defending the private sector and critical infrastructure entities from cyberthreats.

  • Defense
    Defense Secretary James Mattis testifies at an April 12 hearing of the House Armed Services Committee.

    Mattis: Cloud deal not tailored for Amazon

    On Capitol Hill, Defense Secretary Jim Mattis sought to quell "rumors" that the Pentagon's planned single-award cloud acquisition was designed with Amazon Web Services in mind.

  • Census
    shutterstock image

    2020 Census to include citizenship question

    The Department of Commerce is breaking with recent practice and restoring a question about respondent citizenship last used in 1950, despite being urged not to by former Census directors and outside experts.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.