Energy Department Updates Breach Count, Says 53,000 Affected

DOE offers employees a free year of identity theft monitoring services after hackers steal personal info, including social security numbers.

9 Android Apps To Improve Security, Privacy (click image for larger view)
The Department of Energy (DOE) has confirmed reports that it suffered a data breach in July that lead to the theft of employees personally identifying information (PII).
The department has now identified approximately 53,000 past and current federal employees, including dependents and contractors, whose name, social security number, and date of birth were compromised by this cyber incident, read a
July 2013 Cyber Incident
breach notification posted Friday to the DOEs public-facing website.
The July breach involved an
outdated, publicly accessible ColdFusion system
known as DOEInfo, which sources said hadnt been patched against known vulnerabilities. DOEInfo is an employee database owned and maintained by the agencys Office of the Chief Financial Officer.
Based on the findings of the departments ongoing investigation into this incident, we do believe PII theft might have been the primary purpose of the attack, according to the notification. Accordingly, the Department encourages each affected individual to be extra vigilant and to carefully monitor bank statements, credit card statements, emails and phone calls relating to recent financial transactions.
[ How dependable are iris scans? Read
Iris Scans: Security Technology In Action
. ]
In a phone interview Tuesday, an agency spokeswoman said that all affected employees have been offered a free year of identity theft monitoring services.
As is standard practice, the DOE breach is being investigated by the agencys Cybersecurity office, the Office of Health, Safety and Security, and the Inspector Generals office, as well as federal law enforcement agencies. Once the full nature and extent of this incident is known, the Department will implement a full remediation plan, said the notification. The DOEs breach notification is also interesting for what it doesnt say. For example, it poses this rhetorical question: How did the disclosure of personally identifiable information happen? But the agencys own response is a non-answer: Department of Energy networks and employee information hosted on these networks are protected in accordance with federal laws and Department of Energy policies. We are working with interagency partners on actions that can be taken against those responsible and to reduce the likelihood of another successful attack.
The agencys Friday announcement marked the first public comment issued by the agency since it confirmed that a leaked DOE memo published by
The Wall Street Journal
on Aug. 15, 2013 -- which said that a late July hack had compromised PII for
14,000 current and former agency employees
-- was genuine. But as the agencys investigation has continued, the count of affected people has climbed to 53,000, and expanded to include dependents and contractors.
The agency said that it will notify all breach victims within the next two weeks. If you do not receive a notification letter by September 15, 2013, you should assume it is unlikely your PII was affected, according to the notification. If DOE later determines your PII was affected you will be notified, regardless of the date of discovery.
But the agency has directly notified affected employees as its investigation progressed. One agency employee said via email that both she and her husband, whos retired from the agency, received breach notification letters dated Aug. 16, which said that their PII was believed to have been compromised, and which also offered them a years free credit monitoring.
Details of the investigation, however, dont appear to have been fully shared with officials at DOE facilities, which are run by contractors. Sources said that some facilities officials have literally been combing through Microsoft Exchange mailboxes to try to identify which of their personnel received a direct breach notification, so that officials at the facility can identify who was affected, as well as offer follow-up guidance and support.
The July breach marked the second time this year that the agency suffered an intrusion, following a
January hack attack
that was disclosed in February.
News of the July breach has been posted to internal DOE websites, where personnel can respond. One commenter claimed to have seen up to $5,000 in fraudulent charges as a result of the breach, thanks to a cell phone that was fraudulently obtained in his name. Others criticized DOE officials for doing too little to safeguard their personal information. I will provide the hackers my shoe size, so get it right, one said.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Energy Department Updates Breach Count, Says 53,000 Affected