U.S. government employees just can’t catch a break. Still reeling from the consequences of the devastating OPM hack last June, a new attacker has released the personal information of 29,000 FBI and DHS workers.
While most of the country was tuned into Super Bowl 50 this past Sunday, the hacker was announcing his plans on Twitter, according to Vice’s Motherboard:
Immediately following the game’s start, the hacker published 9,000 DHS employee records, containing names, email addresses, and job descriptions. The following Monday, the hacker released the promised 20,000 FBI records.
A strong political line was held throughout the releases, as the attacker made numerous references to the “FreePalestine” hashtag:
Motherboard, having obtained a copy of the records directly from the hacker, reports that “the list also includes roughly 1,000 FBI employees in an intelligence analysis role.”
However, Peter Carr, a Department of Justice spokesperson, had this to say: “This unauthorized access is still under investigation; however, there is no indication at this time that there is any breach of sensitive personally identifiable information.”
This statement matches the attack outline provided by the hacker himself, who accessed the database containing the information through social engineering. “The cybercriminal reached out to Motherboard through an apparently compromised DOJ email account earlier last week, and claimed to have obtained the stolen data by compromising that account and then using it to access a DOJ portal,” according to the Motherboard article.
“After tricking a department representative into giving him a token code to access the portal, the hacker claimed he used the compromised credentials to log into the portal, where he gained access to an online virtual machine. From here, the cybercriminal was presented with three different computers to access, he said, one of which belonged to the person behind the compromised email account. The databases of DHS and FBI details were on the DOJ intranet, the hacker said.”
This failure follows a period of heavy criticism for the U.S. government’s ability to protect its own data, beginning with the OPM hack, and followed by subsequent attacks on the email accounts of several high-ranking intelligence officials.
“What has anybody in the United States government learned?” asked Michael Adams, a former information security expert for US Special Operations Command, in a Motherboard phone interview. “They’re not doing information security fundamentals, obviously. It’s just f&^%$&# unacceptable.”
Obviously, the ongoing struggle of the Federal government to establish or enforce an effective security policy is providing attackers with an easy mark — whether they’re acting for political reasons or simply “doing it for the lulz.” This time, the records released weren’t as damaging as those leaked through the OPM breach, but any information leaking at all is cause for concern.