Kudos to Mathew J. Schwartz of InformationWeek for following up on the July Dept. of Energy hack.
In August, Schwartz reported that the breach involved an outdated version of ColdFusion. In September, he reported that the number affected was not 14,000 – as originally estimated by DOE – but about 53,000.
Today, Schwartz calls our attention to yet another update on the breach:
“The department has now identified approximately 104,179 past and current federal employees, including dependents and contractors, whose name, social security number, and date of birth were compromised by this cyber incident,” says a July 2013 Cyber Incident FAQ released by the agency’s Office of the CIO.
That data breach victim count more than doubles the number of records that the agency previously thought might have been compromised. Of the people affected, “64,480 are personnel within our direct DOE Federal and M&O [management and operating] Contractor Community, including spouses, dependents, and former employees,” according to a memo distributed to DOE employees on Oct. 11, 2013. “The remainder are personnel from other federal agencies and support contractors.”
From 14,000 to over 104,000? The update to the FAQ is not dated, so it is not clear to me how long it took DOE to really determine everyone who was affected and to notify them – or even whether they might subsequently identify more affected individuals. But if they were first reporting 53,000 at the beginning of September when they had said 14,000 in August, it would appear that this has not been a speedy incident response in terms of analysis. Add that to their inadequate security in using an outdated version of ColdFusion, and this does not speak well for the agency’s cybersecurity.