A combination of technical and managerial problems set the stage for hackers to breach last summer the Department of Energy's Employee Data Repository database, known as DOEInfo, a new report shows. And the incident that exposed the personally identifiable information of at least 104,000 individuals proved costly.

In a newly issued special report by DoE's inspector general, auditors estimate the cost of the breach to be at least $3.7 million, including $1.6 million for credit monitoring costs for victims and salaries for call center employees handling breach inquiries as well as $2.1 million in lost productivity when employees took time off from work to address the personal consequences of the breach.

DoE Inspector General Gregory Friedman didn't identify a single point of failure that led to the breach in the special report, but says a combination of technical and managerial problems set the stage for hackers to access the system with relative ease.

"The attackers in this case were able to use exploits commonly available on the Internet to gain unfettered access to the relevant systems and exfiltrate large amounts of data - information that could be used to damage the financial and personal interests of many individuals," he says.

Receiving DHS Help

DoE spokeswoman Niketa Kumar says the department takes the security of its databases and systems very seriously and appreciates the inspector general's review, which Robert Brese, the department's chief information officer, had requested. "The department continues to work with its federal partners, including the Department of Homeland Security, to put in place new protections to further strengthen our cyberdefenses and restrict unauthorized disclosure," Kumar says.

The department is examining all of its online systems and applications and implementing new protections to further strengthen cyber-defenses and restrict unauthorized access, a process started immediately after the breach. By the end of January, DoE says it expects to remove all unnecessary information and Social Security numbers where feasible and add encryption tools to protect the remaining information.

The department also says it will implement continuous monitoring of all DoE systems and strengthen its overall capability to respond quickly and effectively to any cyber-incident.

The Breach Timeline

On July 2, while investigating an unrelated matter, an application developer noticed an anomaly in the DOEInfo system logs while working for the chief financial officer's office, the special report reveals. The developer reported the anomaly to the Energy Department's IT services organization, which reports to the CIO.

Twenty-two days later, hackers breached the department's management information system server, according to a subsequent forensic analysis. The next day, DoE discovered another anomaly: The server ran out of space and failed to respond to a normal data request even though CFO office representatives contend there should have been ample memory available. Rather than investigate, computer operators deleted the largest unnecessary data file on the server to allow the system to function normally.

On July 26, attackers successfully exfiltrated data from the DOEInfo database through the MIS server when they elevated their privileges to a role that provided unlimited access to the database and other files on the MIS server. They then ran more than 600 queries against the system, according to the special report.

DoE discovered the breach on Aug. 8 and took the server offline. Ten days later, DoE reactivated the sever on the internal network after rebuilding the virtual machine and Web application using a clean operating system and an updated version of the application software.

In late October, authorities arrested Lauri Love, 28, of Stradishall, England, for hacking into the DoE and other government systems (see Brit Charged with Hacking Federal IT). In an online conversation obtained by law enforcement, Love and his conspirators discussed the data breach in real time while commencing the hack. Love commented, according to Justice Department records, "they [the DoE] must have about 30k employees" and he then cut and pasted the personal information of various employees from the protected computer to the online conversation.

Missteps Leading to the Breach