The US government has suffered another data breach. While not as severe as the cyberattack on the Office of Personnel Management last year, the recent hack has resulted in the personal information of nearly 30,000 government employees being dumped online.
In the original story by Motherboard on Sunday, an anonymous hacker promised to publish the details of more than 20,000 Federal Bureau of Investigation agents and 9000 Department of Homeland security officers.
Just before the Super Bowl kickoff, the cybercriminal stuck to his word and uploaded a list of 9000 DHS employees. Yesterday, the personal data of 20,000 FBI agents was also released.
The information, which is published on an encrypted text-sharing site, includes names, titles, email addresses, and contact details. The hacker, who uses the Twitter username @DotGovs, posted a tweet with a link to the dump. It read: “Long Live Palestine, Long Live Gaza,” and included the hashtag #FreePalestine. The account also posted two screenshots of a web browser logged into a DoJ computer.
The person responsible for the breach told Motherboard that they carried out the hack by compromising a Department of Justice (DOJ) email account. They then tricked a department representative into handing over a token code to access the DOJ portal, used the compromised credentials to log into the portal, and gained access to an online virtual machine. From here, the hacker was able to access the databases of DHS and FBI details that were stored on the DOJ intranet.
Some of the information is out of date, and the DOJ is, as you would expect, playing down the incident. “There is no indication at this time that there is any breach of sensitive personally identifiable information,” DOJ spokesman Peter Carr told the Guardian. One official compared the hack to stealing a years-old AT&T phone book after most of the data already been digitized.
Despite their words of reassurance, the DOJ acknowledges that this is another example of the government's weak digital security procedures being exposed. “The bottom line is, something broke,” an official said.
Leo Taddeo, currently the CSO of Cryptzone and former Special Agent in Charge of the Special Operations/ Cyber Division of the FBI’s New York Office, believes that the DOJ has few options available for its next move.
“Recalling the information is not possible. The FBI may request that sites hosting the information take it down, but it would be very unlikely the FBI could obtain authority to compel a site to remove the list. Most likely, the FBI will warn employees of the loss of data and monitor for any anomalous activity that can be attributed to the loss. While the risks from this type of loss will never dissipate completely, over time, the information will become less sensitive due to employee rotations and turnover,” said Taddeo.
He added that the government needs to deploy user access controls that go beyond two-factor authorization to reduce the chance of another social engineering attack taking place.
“By checking multiple attributes, an enterprise can create a ‘digital identity’ that is almost impossible to socially engineer. For example, before allowing access, enterprises can check the user's location, the time of day, the computer's configuration, patch level, and use of antivirus. By creating this "digital identity," a network is less likely fooled and better protected from bad user behavior.”