The hacker who dropped personal data on almost 30,000 employees from the Federal Bureau of Investigation (FBI) and the Department of Homeland Security (DHS), obtained the information by simply calling the agencies’ support desks.
Federal agencies such as DHS and the Department of Justice (DoJ) have implemented two-factor authentication systems to make their portals harder to enter. The authentications include smartcards, digital tokens or other secondary ID formats.
Motherboard published an article where they claim to have spoken directly to the anonymous hacker. The hacker, who had already gathered a legitimate password, said he simply called IT support and simply asked for the second authenticaation factor.
“So I called up, told them I was new and I didn’t understand how to get past [the portal],” the hacker told Motherboard. “They asked if I had a token code, I said no, they said that’s fine—just use our one.”
Once the hacker was logged in, it only took a few clicks to get access to documents on the local network.
The data was tweeted out by an account with a pro-Palestine message Feb. 8. DHS spokesman S.Y. Lee told Motherboard in an emailed statement that while they take the breach seriously, the leaked information was not sensitive.
“We are looking into the reports of purported disclosure of DHS employee contact information,” Lee said. “We take these reports very seriously, however there is no indication at this time that there is any breach of sensitive or personally identifiable information.”
Leo Taddeo, a former FBI special agent in charge of special operations and cyber division, told Nextgov that protocol would be for the helpline to instruct the employee to acquire the information in person, when his or her identity can be confirmed.
“I’m not sure it was in the protocol for the help desk to provide the token for access without significant further authentication,” Taddeo said.
The Obama administration’s budget proposal for 2017 released Tuesday included a request for $26 million from Congress “to enhance information security band continuous monitoring, and for a stronger insider threat program.”
Content created by The Daily Caller News Foundation is available without charge to any eligible news publisher that can provide a large audience. For licensing opportunities of our original content, please contact firstname.lastname@example.org.