Poor Patching, Communication Facilitated July Dept. of Energy Breach
- The U.S. Department of Energy is describes what lead to July breach
- Failures around vulnerability management, access controls and a general lack of communication between decision makers
- Hackers were able to penetrate a Web-facing application and steal personal information on 104,179 current and former employees, dependents and contractors.
- They had access to information that could have included Names, addresses, Social Security numbers, dates of birth and bank account information, unencrypted
- DOE failed to live up to industry standards and government mandates around not only encryption of sensitive data but also to install software updates, purchased in March, that would have prevented the breach and instead sat for five months in a testing environment, cost significantly less than the expected $3.7 million price tag for credit monitoring and other recovery costs.