March EPA Data Breach Impacts 8,000 People

August 6, 2012

The U.S. Environmental Protection Agency (EPA) has confirmed an IT security breach through which Social Security numbers, bank routing numbers and other personal data involving nearly 8,000 people, mostly current agency employees, were exposed, according to an article from CRN.

The breach, which occurred in March of this year, is under investigation by the EPA, and, according to a report from the Washington Business Journal, occurred through an email that contained a malicious attachment. The report goes on to quote federal officials who believe it is unlikely that any of the information was shared with anyone, the CRN article states.

However, it is the delay in disclosure that is alarming to Tony Busseri, CEO of Route1, Inc., a Toronto-based security and identity management company with customers including the Canadian government, the U.S. Department of Defense, the Department of Homeland Security and various other federal agencies.

According to the CRN article: "Doesn't the government have a responsibility to disclose when such breaches occur?" asked Busseri. "This happened in March, so the time it took to disclose this is just far too long."

"The second aspect of this is that we keep ignoring good practices that will protect our data," Busseri continued. "There's a Homeland Security presidential directive that provides a standard way of authentication for accessing sensitive data by government employees. Based on the latest numbers we've seen, only about 10 percent of the civilian employees of the U.S. government are compliant with the standards. This basically tells us that there is a very poor authentication and identity match around government employees accessing our information. They are making it very easy for the hacker community to take advantage of bad policies and protocols."

Busseri is calling for acknowledgment that using a basic username and password is insufficient authentication, and the system should be replaced by multifactor authentication.

"We need to follow the policies, stop approving exceptions to those policies, train employees so they understand the need for the restrictions and the importance of security. The government should also stay in touch with the private sector around next-generation tools that will continue to help us hinder the black hat hacker community."

Busseri also recommended that channel partners show stories of such breaches to their customers to help drive home the need for effective security. "A lot of people think that security needs to mean greater cost," he said. "But, that's not true. It merely supports the business models of the large security vendors who have actually been pretty lazy about evolving their technologies to meet the current threats. But, good security can actually save them money."

With the advent of Internet of Things (IoT) technology and Industrial Internet of Things (IIoT), the cyber security practices are increasingly getting integrated with the physical security practices.

We will provide insight on NDAA Section 889 and how the act has evolved and impacted business, so that organizations can better mitigate risk and stay compliant.