When people enter their social security numbers or similarly sensitive credentials for online services through the government or other organizations, they trust that their information will be given the utmost care, through strong encryption codes, an able security team and myriad other safeguards.
Yet based on a recent report from Ars Technica, government departments may not be as well protected as they should be. According to the news source, the U.S. Department of Energy experienced a data breach early in 2013 that exposed personal information for 104,000 people involved with the organization. This includes birthplaces, user names, security question answers and, perhaps most importantly, both social security numbers and bank account data. While the increasing sophistication of hacking tools make it difficult to prevent breaches even when safeguards have been meticulously maintained, this was not the case with the DOE.
Security remained years out of date
Rather, critical updates for the department's systems had not been implemented in years. The specific vulnerability exploited had been pointed out to the DOE in January 2013, Ars Technica reported. Additionally, sensitive databases containing social security numbers were not encrypted, leaving them ripe for a hacker to break into. While some upgrades were not applied because of concerns about system functionality issues, these kinds of problems should not go unresolved for years, as was the case with the department.
Additionally, the 2013 breach was only one in a string of hacking attempts on the DOE. Ars Technica noted that thousands of the department's computer systems were hacked as early as October 2012, and another individual, unrelated to any of the other incidents, pleaded guilty in August to a hacking scheme that included the DOE's network. The news source highlighted that the department's run into vulnerability management problems for at least nine years.
Because of the breach, Ars Technica reported that the DOE will need to spend $3.7 million for credit monitoring and lost productivity, and even then, the cost does not account for upgrading the department's systems – which may mean they will continue to be plagued by security issues.
Personal caution doesn't help when organizations don't practice the same
Individuals concerned about privacy issues should understandably be worried by this news, as even their most meticulous efforts to maintain online security and anonymity could be undone by out-of-date systems that are critical to their private or professionals lives. While the days of password-only authentication are fading, there are problems that extend beyond simplistic verification details.
Ars Technica also suggested that the DOE's IT infrastructure may have been safer if it utilized two-factor authentication. The techniques used to bypass passwords, encryption or other protections are often dissimilar from trying to access smartphones or other means of securing a network, and requiring multiple authentication methods means that if one safeguard's breached, the other form of protection may remain firm and prevent unauthorized access to personal data.
Because of the issues that affected the Department of Energy, organizations in both the public and private sector should move toward more secure means of verifying their users. Working with a group dedicated to both privacy and identity management can help when building systems to keep out online intruders. Governmental departments partnering with other institutions can also reduce the need to centralize user data, which minimizes the chance that any one breach will reveal all of the information required to commit identity theft or other forms of fraud. Taking some of the burden off of government services could avoid some of the problems it has experienced.