Elizabeth Harrington reports on a newly-released Inspector General’s report on the hack at the Department of Energy previously covered on this blog. Some of the highlights:
- The Energy department was aware of “early warning signs” that personally identifiable information (PII) of its employees was at risk.
- The attackers used exploits commonly available on the internet to gain unfettered access to the relevant systems and exfiltrate large amounts of data.
- The attack cost the department at least $3.7 million, including $1.6 million in credit monitoring and labor costs. Workers whose personal information was stolen also received administrative leave to deal with the situation, costing approximately $2.1 million in lost productivity.
- The Energy Department also underreported the significance of the breach, saying only 53,000 employees were affected prior to the IG’s investigation. As a result, many employees were not informed that their personal information was stolen. The department is still in the process of notifying all of its employees.
Of especial note:
“We also found that the extent of PII stolen was much more extensive than that originally reported by the Department,” the IG said.
“Breached information exceeded just names, dates of birth and Social Security numbers as initially reported by the Department,” they said. “In particular, we noted through investigation or discussions with officials that select bank account numbers, places of birth, education, security questions and answers, and disabilities were also included in the loss of information.”
Read more on the Free Beacon.