Energy acknowledges data theft

As Energy Department officials acknowledged that cyber thieves stole personal information from about 1,500 people, analysts are offering solutions to better safeguard private information.

Energy officials told a House panel late last week that the data breach, which happened about eight months ago, involved the personal information of employees and contractor personnel. The data included their Social Security numbers, which could allow identity thieves to take out loans or get credit cards using the victims' information.

News of the theft was the second major revelation in recent weeks. In May, Department of Veterans Affairs officials said an employee took home a laptop computer and external hard drive containing the personal information of about 26.5 million veterans. The hardware was then stolen from the employees' home.

The two breaches are different in character, one involving the theft of hardware and the other a cyberattack that defeated network security. But Bruce Brody, vice president of information security at Input, said agencies generally maintain lax and unfocused security policies that make information vulnerable.

The DOE theft was aimed at the National Nuclear Security Agency, a semi-autonomous agency within the department, and the officials who discovered the breach did not inform Energy’s secretary or the affected individuals until months later, according to testimony in the recent House hearing. Brody said it is certain that more such thefts have already happened and have not yet come to light.

"I’m not big a fan of [the Federal Information Security Management Act] because I don’t believe it measures the right things, but even at that the whole government is a D+," he said, referring to FISMA's letter-grade reports on agencies. "That tells you the right things are not in place. The federal government simply does not have the controls in place to prevent this from happening.”

The main problem Brody sees is the lack of centralization of security practices in agencies. Large organizations with responsibilities distributed among various locations simply can't manage data the way they need to, he said.

Under most agencies’ structures, “no one has the necessary authority and the necessary clout to hold people accountable,” he said.

Ted Julian, vice president of marketing at security firm Application Security Inc., said security policies are often aimed at the threats of yesterday.

“It used to be that the standard attack was to deface a Web site," he said. "No more. I can’t remember when I last saw one of those. The hackers have either gone professional or grown up or both.”