The number of individuals whose personal information may have been compromised by a recent data breach at the Department of Energy has doubled in the last few weeks. According to InformationWeek, Energy Department administrators had to revise this number as new information came to light that more individuals were compromised on the July data leakage than was previously thought.
“The department has now identified approximately 104,179 past and current federal employees, including dependents and contractors, whose name, social security number, and date of birth were compromised by this cyber incident,” the agency’s website noted.
SC Magazine reported in August that 14,000 individuals were affected. Shortly thereafter in September, eSecurity Planet reported that the personal information of 53,000 current and former employees had been affected. Of this most recent figure, InformationWeek stated that 64,480 individuals were people in the department’s Federal and Management and Operating Contractor Community. This data leakage includes not only current and past employees, but spouses and dependents as well.
July data breach and future protection
Cybercriminals involved in the data leakage breached the agency’s DEOInfo system, an employee database containing personal information. InformationWeek stated that hack was relatively easy for black hats, as the database was contained in an “outdated, publicly accessible ColdFusion system.” Further compounding the issue, the platform had not been patched to prevent known weaknesses around the time of the incident. However, the agency does not believe the criminals were attempting to access top secret plans or other government information.
“Based on the findings of the Department’s ongoing investigation into this incident, we do believe PII theft may have been the primary purpose of the attack,” stated the website.
According to information on the Department of Energy’s website, the agency has been notifying those affected by the breach, as well as offering assistance for further protection including free credit monitoring for one year. In addition, InformationWeek stated that the department is also offering monitoring services for dependents affected by the data leakage. The service will oversee the Social Security numbers of children and adolescents that may not have a previous credit history to ensure stolen data pertaining to these individuals is not used maliciously.
The website stated that those who did not receive communications from the agency by Oct. 15, 2013 should assume their information was unaffected by the breach. However, the agency is still urging individuals to keep a watchful eye out for suspicious activity related to compromised personal information, especially financial transactions.