The Department of Energy failed to address suspected cyber-security weaknesses before a July hacking incident that compromised the private information of employees, their dependents and contractors, according to federal auditors.
In a report released Wednesday, Department of Energy Inspector General Gregory Friedman said the breach last summer affected more than 104,000 individuals, providing access to names, Social Security numbers, dates of birth and other information from a human-resources network.
The department has been hacked three times since May 2011, according to auditors. DOE acknowledged two incidents this year alone, telling employees in an August memo that it would offer one year of free credit monitoring for impacted personnel and assistance in protecting them from identity theft.
The inspector general determined that those efforts, along with paid leave allowed for individuals needing to correct issues associated with the breaches, could cost the government up to $3.7 million.
Auditors found that the department did not implement accepted standards for protecting its networks and failed to ensure that its security controls were working effectively in many cases.
The report said the department used complete Social Security numbers contrary to federal guidance, allowed direct Internet access to a highly sensitive system without adequate protections and failed to take action on known network vulnerabilities.
“In spite of a number of early warning signs that certain personnel-related information systems were at risk, the department had not taken action necessary to protect the [information],” Friedman said in a summary.
Confusion about who was in charge of making the fixes, poor communication among responsible officials and pressure to keep systems running to maintain productivity all contributed to the problems, according to the report.
Despite the recent breaches, the department said in August that no classified government information was compromised or targeted. However, hackers could use stolen employee data to access other agency systems, potentially leading to future intrusions.
“Given the unprecedented extent of this security event and loss of [personally identifiable information], prompt and effective corrective actions are essential,” Friedman said.
In its response to the audit findings, the department agreed to implement all of the inspector general’s recommendations. The measures include clarifying who is responsible for the affected systems, developing a central authority to shut down networks known to be vulnerable and removing unnecessary information, including Social Security numbers where possible.
Follow Josh Hicks on Twitter, Facebook or Google+. Connect by e-mail at email@example.com. Visit The Federal Eye, The Fed Page and Post Politics for more federal news. E-mail firstname.lastname@example.org with news tips and other suggestions.