Informed U.S. officials have downplayed the impact of the latest breach of government data in the wake of a hack of the employee information of 29,000 Department of Justice (DOJ) and DHS staff. Unidentified hackers on Sunday claimed that they had stolen personal information of about 20,000 DoJ employees — including FBI officials — and 9,000 DHS employees.
The BBC reports that U.S.government sources familiar with the hack said the compromised information paled by comparison to recent hack of personal data kept by the Office of Personnel Management (OPM).
“The department is looking into the unauthorized access of a system operated by one of its components containing employee contact information,” DOJ spokesman Peter Carr said. “This unauthorized access is still under investigation; however, there is no indication at this time that there is any breach of sensitive personally identifiable information. The department takes this very seriously and is continuing to deploy protection and defensive measures to safeguard information. Any activity that is determined to be criminal in nature will be referred to law enforcement for investigation.”
The Guardian reports that its reporters have examined hacked data posted anonymously on an encrypted Web site. The data included a DHS personnel directory. The information listed included phone numbers and e-mail addresses for individuals who have not worked for DHS in years. Some listings included long-outdated titles.
A person claiming responsibility for the hack told Motherboard, which broke the story of the breach, that he or she had first managed t get their hands on a DHS employee’s account, and then used the information from the account to convince an FBI phone operator to provide access to the DoJ’s computer system.
At 4:00 p.m. Monday, the hackers a list of DoJ employees on the same site, and that list, too, appeared outdated, although some information on it was accurate.
The BBC notes that during a Monday meeting to assess the breach, one official sad steling the lists was like stealing a years-old AT&T phone book, but other officials admitted it was unacceptable that someone could obtain an access token simply by calling a help desk and pretending to be an official from a different department.
“The bottom line is, something broke,” one official said.
Observers note that while the DHS breach is less severe than the one at OPM, it is still embarrassing for a department designated as the point of entry for all corporate data shared with government agencies in the information sharing program between industry and government created last year by the Cybersecurity Information Sharing Act.
DHS deputy secretary Alejandro Mayorkas, in a letter to Senator Al Franken sent in July, quoted troubling provisions from the bill: “The authorization to share cyber threat indicators and defensive measures with ‘any other entity or the Federal Government,’ ‘notwithstanding any other provision of law’ could sweep away important privacy protections,” he wrote.
The hackers behind this latest breach – who were also behind earlier hacks of government agencies — say they were acting out of sympathy for Palestine. The hashtag #FreePalestine has appeared alongside several hacks in the last few months, and the DHS staff directory is prefaced with a quote from English rapper Lowkey: “This is for Palestine, Ramallah, West Bank, Gaza, This is for the child that is searching for an answer.”