Energy Dept. Hack Details Emerge

Exclusive: Unpatched ColdFusion server containing employee information was hacked; agency claims lack of budget to put proper fixes in place.

The Department of Energy has disclosed new information concerning a recent cyberattack that compromised employees personally identifying information (PII).
The sensitive PII data compromised was limited to names, dates of birth and social security numbers, according to an internal DOE memo distributed on Aug. 29. It said the stored information did not include banking, credit card or clearance information.
A spokesman for the DOE wasnt immediately available to confirm that it sent the memo, but an agency source confirmed its authenticity. Agency officials have so far declined to respond to all requests for comment on the breach.
[ What can we learn from the DOE breach? Read
Department Of Energy Cyberattack: 5 Takeaways
. ]
The data breach was first disclosed to employees in an Aug. 14 email, which said that no confidential DOE information had been stolen, and that
data on 14,000 employees
was compromised. The agency promised to notify all affected employees individually by the end of August.
The Aug. 29 memo revealed that the system hacked by attackers is called DOEInfo. The system is owned and maintained by the agencys Office of the Chief Financial Officer.
According to agency sources, who spoke on condition of anonymity, the hacked application was Internet-accessible and written in ColdFusion, a rapid Web application development platform -- developed by Allaire, then purchased by Adobe in 2005 -- that was originally designed to allow HTML pages to be connected to databases. But the version of ColdFusion being used for DOEInfo remained outdated and vulnerable to known exploits.
According to DOE sources, the problem of insecure systems that contain PII is widely known at the agency but difficult to change since more than 1,000 systems tap DOEInfo, which maintains a single user ID for each employee, tied to employee access permissions. Our logins still use our initials and parts of our SSN (duh), who would think that was good enough in the first place? one source said in an email message. Complaining doesnt help. The answer is always, it costs too much to redo our PII.
The breach notification was also published on a DOE intranet, where some employees complained about a lack of timely, forthright communication about the breach. Some questioned whether agency officials are covering up the full extent of the breach.
The July breach marked the second time this year that DOE employee information was compromised in a cyberattack, following a
January intrusion
.
The memo distributed on Aug. 29 stated The Office of Cyber Security is working with organizations at DOE to obtain verifiable information and direction, presumably referring to the agencys participation in the breach investigation, which also involves federal law enforcement agencies. As information becomes available, we will inform employees through e-mail and updates to the article, it continued, referring to a copy of the Thursday data breach notification that was also posted to an agency intranet.
According to a spokeswoman, the DOE has offered a years worth of free credit monitoring services to affected employees.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Energy Dept. Hack Details Emerge