Despite early warning signs that some personnel-related information systems were at risk, the Department of Energy failed to adequately protect personally identifiable information – PII, for a large number of its past and present employees, their dependents and many contractors, the Energy inspector general has said.
In a follow up report to a July 2013 incident that resulted in the exfiltration of a variety of PII on over 104,000 individuals, the IG identified technical and management issues that contributed to an environment in which this breach was possible.
Compliance and technical problems included the frequent use of complete Social Security numbers as identifiers, allowing direct Internet access to a highly sensitive system without adequate security controls, and a lack of assurance that required security planning and testing activities were conducted, according to the report.
It said that management information system – MIS, and DoE info had also not been securely integrated with one another and that the Office of the CIO had not performed the required system certification testing or provided MIS an authorization to operate.
The department also did not take appropriate action to remediate known vulnerabilities on its systems. While the IG did not identify a single point of failure that led to the MIS/DOEInfo breach, it said a combination of technical and managerial problems left the door open for individuals with malicious intent to access the system with what appeared to be relative ease.
