The U.S. departments ofJustice andHomeland Security on Monday announced they were investigating reports that a hacker broke into government computer systems and stole sensitive information about employees at the agencies.
The hacker posted stolen information for about 9,000 DHS employees online Sunday and made public data on 20,000 FBI employees Monday.
“We are looking into the reports of purported disclosure of DHS employee contact information,” DHS said in a statement provided to TechNewsWorld by spokesperson S.Y. Lee.
“We take these reports very seriously; however, there is no indication at this time that there is any breach of sensitive or personally identifiable information,” the department added.
A DOJ spokesperson wasn’t immediately available for comment for this story.
The department was investigating “unauthorized access of a system operated by one of its components containing employee contact information,” DOJ spokesperson Peter Carr told The Guardian, adding that no sensitive personally identifiable information appeared to have been compromised
DHS data posted to the Web contained phone numbers and email addresses of people who hadn’t worked for the agency in years, according to an examination of the information by The Guardian. The data also included outdated titles.
Motherboard reported the data theft Sunday, saying a hacker had turned the stolen information over to it and announced his intention to go public with the information.
Using the compromised email account of a DOJ employee, he used social engineering to get into the agency’s intranet and download 200 GB of files, the hacker explained to Motherboard.
After failing to penetrate a DOJ Web portal, the hacker said, he phoned a government department, acted like a newbie, and was given a code for accessing the portal by an employee.
Once inside the portal, the hacker said he gained access to the computer used by the person whose email he had compromised. From there, he had access to DOJ’s internal network.
As cyberattacks go, this one was an unsophisticated one.
“It was a fairly simplistic attack combined with social engineering, but audacious when you’re going after an FBI employee,” said Richard Stiennon, chief research analyst withIT-Harvest.
It’s easy for complacency to set in at high-volume call environments such as government help desks, he told TechNewsWorld.
“If you flood a help desk with password reset requests and similar requests without any negative consequences, eventually operators are going to get comfortable handing out login tokens,” Stiennon explained.
This breach illustrates that no matter how secure a system is believed to be, it always has an Achilles’ heel, noted Jeff Hill, channel marketing manager forStealthbits Technologies.
“All the advanced algorithms, machine learning and log aggregators can’t protect an organization from a gullible employee susceptible to the ‘Look, your shoe’s untied’ ruse,” he told TechNewsWorld.
Organizations need to monitor employee behavior if they want to be secure, Hill noted.
“In today’s world, the best cybersecurity strategy is to look for and identify suspicious behavior of legitimate accounts,” he said.
“Believing that a security plan can realistically prevent motivated hackers from compromising credentials in the first place is nave at best,” Hill said.
While some organizations have turned to training to combat employee exploitation by hackers, training is not enough, maintained Chase Cunningham, director of cyberthreat research and innovation atArmor, formerly FireHost.
“Government thinks it can train its workforce out of this, but this is proof that that’s not the case,” he told TechNewsWorld.
“Government is bound by the budget it’s given, so it can’t replace people with technology,” he added, “even though that would be the best solution in a lot of cases.”