According to reports, the Department of Justice (DoJ) has been hacked and personal information of 29,000 government employees leaked. The hacker extracted 200GB of data from the DoJ, including names, job titles, email addresses, and phone numbers of over 20,000 FBI employees and over 9,000 Department of Homeland Security employees.
The hacker gave reporters at Motherboard access to the information that was stolen. The reporters called the phone numbers to check if the information was legitimate. In fact, many of the test calls went through to the correct voicemail and matched with the names listed in the database.
Both employee lists from the FBI and DHS have been leaked via a Twitter account. The DoJ hack is yet another in a string of widely publicized breaches of U.S. security.
Along with sharing access to the information taken from the DoJ database, the hacker detailed the attack to Motherboard reporters. He claims to have used social engineering tactics to compromise the email account of a DoJ employee – which was also used to contact the reporters.
Using that account, the hacker attempted to log into the DoJ web portal, but was denied access. He proceeded to call the IT department claiming he was a new employee and needed help accessing the portal. They asked him for his token, but after saying he didn’t have one, they let him use the department’s and gave him access.
The hacker was able to log in and enter the credentials of the hacked email account to access the online virtual machine and subsequently full access to the computer. This gave the hacker access to the user’s contacts, documents, local network, and databases.
This hack is another common example of how human error can lead to a full scale data breach. Once again, it’s imperative to increase staff awareness regarding cyber threats. Educating your workforce on common threats like social engineering and phishing attacks is the best defense you can take.
With the IT department requesting a token, it shows that at the very least security policies and procedures were in place. However, it seems like that isn’t enough anymore. For access to highly sensitive information, using a ‘digital identity’ can prove to be effective against social engineering attacks.
For example, before granting a user access, organizations can check the user’s location, the time of day, the configurations of the computer, and antivirus tools in place. If everything checks out according to the ‘digital identity’ of the user, then access is granted. This is the logical trend of user authentication going forward with highly sensitive and confidential information.