December 6, 2013

Department of Energy's July 2013 Cyber Security Breach

To facilitate its administrative and operational needs, the Department of Energy maintains a substantial amount of personally identifiable information (PII).  The Department's Management Information System (MIS) provides a gateway for users to access a system known as the DOE Employee Data Repository (DOEInfo) database.  Because of the importance of ensuring the security of the Department's systems and sensitive information and at the request of the Chief Information Officer, we commenced a special review into the circumstances surrounding the MIS/DOEInfo breach. 

In spite of a number of early warning signs that certain personnel-related information systems were at risk, the Department had not taken action necessary to protect the PII of a large number of its past and present employees, their dependents and many contractors.  We concluded that the July 2013 incident resulted in the exfiltration of a variety of PII on over 104,000 individuals.  Our review identified a number of technical and management issues that contributed to an environment in which this breach was possible.  We also identified numerous contributing factors related to inadequate management processes.  We also found that the extent of PII stolen was much more extensive than that originally reported by the Department. 

These issues created an environment in which the cyber security weaknesses we observed could go undetected and/or uncorrected.  While we did not identify a single point of failure that led to the MIS/DOEInfo breach, the combination of the technical and managerial problems we observed set the stage for individuals with malicious intent to access the system with what appeared to be relative ease.  Management concurred with our recommendations and indicated that it had taken and/or initiated corrective actions. 

Topic: Management and Administration