Update: DOJ Compromise Spills Info on DHS, FBI Employees

Hacker in action

In-brief: A hacker appears to have compromised a U.S. government network and made off with hundreds of Gigabytes of data, including personal data on tens of thousands of employees of the Department of Homeland Security and the Department of Justice.  

Editors Note: This story was updated to include comment from the DOJ and DHS as well as expert commentary and analysis. PFR Feb 8 2016. 

There’s more bad news for federal employees, with the web site Motherboard reporting last night that a hacker appears to have compromised a U.S. government network and made off with hundreds of Gigabytes of data, including personal data on tens of thousands of employees of the Department of Homeland Security and the Department of Justice.

In a story filed on Sunday, Motherboard reporter Joseph Cox cited leaked employee data provided by an unidentified hacker. The data, part of more than 200 Gigabytes, includes email addresses and phone numbers of over 20,000 Federal Bureau of Investigation (FBI) employees and more than 9,000 Department of Homeland Security (DHS) employees. The veracity of the entire haul has not been confirmed, but Cox said that cursory checks on the DHS data suggested that the contact information was current and valid.

According to the Motherboard article, the hacker also claims to have downloaded hundreds of gigabytes of data from a Department of Justice (DOJ) computer, although that data has not been published.

If true, the leak would be just the latest since the hack of the Office of Personnel Management, which touched some 21 million federal employees. And the circumstances of the hack, as reported by Motherboard as worrying for the federal government.

According to the report, the attack followed the compromise of a computer belonging to a DOJ employee. After compromising the system, the hacker then posed as a new DOJ employee and convinced a DOJ employee to give him a unique code needed to remotely access the employee’s computer via a DOJ web portal. From there, the hacker was able to access files and e-mail on the employee’s system, including the data that was stolen.

[Read more Security Ledger coverage of data breaches here.]

In an email statement, DHS spokesman SY Lee said that the agency is looking into the reports. “We take these reports very seriously, however there is no indication at this time that there is any breach of sensitive or personally identifiable information.”

In an e-mail statement to The Security Ledger, a Department of Justice spokesman wrote “The department is looking into the unauthorized access of a system operated by one of its components containing employee contact information. This unauthorized access is still under investigation; however, there is no indication at this time that there is any breach of sensitive personally identifiable information.”

Like DHS, the DOJ said it takes the issue seriously and “is continuing to deploy protection and defensive measures to safeguard information. Any activity that is determined to be criminal in nature will be referred to law enforcement for investigation.”

If true, the reports about the breach would suggest that government efforts to shore up the security of sensitive data in the wake of the OPM breach are falling short.

A recent report by FCW.com based on research by DHS and the FBI cited a “culture of poor cyber hygiene” at OPM that put “convenience and accessibility” ahead of “critical security practices” as a factor that “likely aided the adversary” in the large-scale hack of the agency. A lack of strong IT policies leaves OPM “at high risk for future intrusions,” the investigators concluded.

The memo lists common information security practices as remedies, including the use of a “personal firewall at agency workstations,” monitoring of users online habits and encryption for data that is stored on government networks.

“Unfortunately, this is very common,” said Stu Sjouwerman of the firm KnowBe4, a Tampa, Florida firm that does security awareness training. “A lot of this comes back to policies, procedures and awareness training. Phishing attacks like the one used against OPM are typically used in a “two step” attack, along with compromises of employee end points, he said.

The Department of Justice and other government agencies need to train staff to use other means to verify the identity of would-be employees, such as calls to mobile phones that are unlikely to be in the control of the hacker.

Also: government agencies need to lock down sensitive data and remove it from locations – such as employee workstations – where it doesn’t belong and is difficult to secure, Sjouwerman said.