US officials have downplayed the impact of the latest hack of government data, this one containing employee information from 29,000 Department of Justice (DoJ) and Homeland Security (DHS) staff.
Hackers claimed Sunday night to have stolen sensitive information from some 20,000 people employed by DoJ, including Federal Bureau of Investigation officials, and another 9,000 from DHS. But government sources familiar with the hack said the compromised information paled by comparison to the recent data theft from the Office of Personnel Management (OPM).
“The department is looking into the unauthorized access of a system operated by one of its components containing employee contact information,” DOJ spokesman Peter Carr told the Guardian. “This unauthorized access is still under investigation; however, there is no indication at this time that there is any breach of sensitive personally identifiable information. The department takes this very seriously and is continuing to deploy protection and defensive measures to safeguard information. Any activity that is determined to be criminal in nature will be referred to law enforcement for investigation.”
Hacked data posted anonymously on an encrypted website and reviewed by the Guardian included a DHS personnel directory. The information listed included phone numbers and email addresses for individuals who have not worked for DHS in years. Some listings included long-outdated titles.
The encrypted DHS directory appeared online just before 7pm EDT on Sunday. The password was “lol”.
A person claiming responsibility told Motherboard, which broke the story of the hack, that he or she had compromised a DHS employee’s account and then used the information from it to convince an FBI phone operator to provide access to the DoJ’s computer system.
Hackers promised to release information from the DoJ on Monday, and at 4pm EDT a similar list was posted on the same site, with a DoJ staff directory that also appeared to be somewhat out of date. That list also appeared geniune and included working phone numbers for some DoJ staff.
During a government-wide meeting Monday morning to assess the hack, an official likened it to stealing a years-old AT&T phone book after the telecom had already digitized most of its data. But knowledgeable officials admit that it should be less simple to obtain an access token by impersonating an official from a different department over the phone to a help desk.
No comments:
Post a Comment