Poor patch management, unsupported systems, and inadequate authentication controls have left some US federal government systems open to hackers, resulting in 11 major incidents in the fiscal year to September 30, 2023, according to a new report from the US Office of Management and Budget (OMB).
Over the 12-month period, federal agencies reported 32,211 information security incidents, up almost 10% from the 29,319 reported in fiscal year 2022.
The report, produced by the OMB in compliance with the 2014 Federal Information Security Modernization Act and the 2015 Cybersecurity Act, identified “improper usage” and “email/phishing” as the most common attack vectors, at 12,261 and 6,198 incidents respectively.
Not all of the incidents were consequential, but the OMB qualified 11 of them as “major”. Here’s the low-down on what happened.
1. Better in than out?
A ransomware attack targeted network file shares on a system owned and operated by a contractor working with the department’s Centers for Medicare and Medicaid Services (CMS). This resulted in the exposure of personal data for 2.8 million individuals, 1.3 million of them deceased. The compromised information included names, addresses, dates of birth, Medicare identifiers, and bank details. As a result of the incident, CMS moved the systems in-house and offered victims free credit monitoring.
2. An ounce of prevention
In another major incident involving HHS, attackers targeted two contractors using a zero-day vulnerability to access systems containing HHS data. There was no sign that HHS systems were compromised, but the compromise of the contractors’ systems potentially exposed the personal information of 1.88 million individuals held for agencies including the Centers for Disease Control and Prevention, the National Institutes of Health, and CMS. This included names, social security numbers, email addresses, phone numbers, dates of birth, medical diagnoses, and other information.
3. US Marshals held to ransom
In February 2023, ransomware hit a computer system at the United States Marshals Service (USMS) containing personal information on staff and those involved in legal processes, forcing the USMS to build a new system and restore from backup. Affected individuals were notified and offered free credit monitoring.
4. Justice served
Another ransomware incident, this time in May 2023, hit systems at a vendor providing data analytics support for specific cases for the Department of Justice’s Civil Division and some US Attorneys’ offices. This attack compromised personal and medical data. A third-part incident response service was called to investigate and clean up, and individuals affected were offered credit monitoring services.
5. Oops, they did it again
In an unforced error, the Internal Revenue Service (IRS) inadvertently exposed personal information that it had already exposed the previous fiscal year. The IRS is supposed to disclose 501(c)3 organizations’ miscellaneous income by publishing redacted versions of their Exempt Organization Business Income Tax Return (990-T) forms. It hired a contractor to help automate this process, but a coding error led to the forms of all 501(c) organizations being exposed until the error was reported in August 2022. Although the data was promptly removed from the public web server, it was inadvertently published again from a staging server in the following fiscal year.
6. No big deal?
The OMB made a big deal of one incident involving a bad actor gaining access to the login credentials of just one employee for just 15 hours — maybe because that person worked for the Office of the Inspector General (OIG), which has full access to all records and materials available to the Treasury Department, determines which of them to audit or investigate, and writes the reports. Due to the OIG’s defense in depth, the nation-state sponsored actor behind the attack was unable to access any information resources nor introduce any malware during the time they had access. The Treasury Department updated its multi-factor authentication policies, validated software configurations, and subjected staff to awareness training to prevent a reoccurrence.
7. Zero-day survey
The US Office of Personnel Management (OPM) reported a major incident involving a zero-day vulnerability in a file transfer application — likely the MOVEit hack, although it was not explicitly named — used by a contractor supporting the Federal Employee Viewpoint Survey (FEVS). The breach compromised government email addresses, unique survey links, and OPM tracking codes for about 632,000 employees at the Departments of Justice and Defense. In response, OPM stopped transferring FEVS data to the contractor, deactivated the survey links, assessed the harm, and notified affected individuals. The assessment found no evidence of unauthorized access or manipulation of survey results.
8. CFPB reinforces loss prevention
A Consumer Financial Protection Bureau employee — no longer with the agency, naturally — sent to their personal email account 14 emails containing personal information and two spreadsheets with details of around 256,000 customers of one single financial institution. The former employee ignored demands from CFPB to delete the emails and send proof of deletion. The official assessment indicated the data couldn’t be used for account access or identity theft, but some affected individuals were notified just in case. In addition, the CFPB strengthened technical controls to prevent inadvertent breaches, reminded all staff and contractors of its privacy policies, and reviewed all its information management procedures.
9. Thanks, I’d rather drive
Federal employees benefitting from the TRANServe initiative may have regretted their decision to take the train. Approximately 237,000 of them were potentially affected when attackers breached several administrative systems and stole personal data from the Parking and Transit Benefit System (PTBS), which administers incentives to federal employees to take mass transportation to work. The attackers exploited an unpatched critical vulnerability in an unnamed commercial web application development platform, obtaining names, home and work addresses, and the last four digits of social security numbers. The Department of Transportation rebuilt affected servers with patched software, and offered credit monitoring services to staff.
10. Forgotten impact assessment has big impact
An authorized developer at the Interior Department’s Interior Business Center (IBC) modified a payroll system’s security policy, inadvertently allowing HR personnel to view 36 federal agencies’ employee records. This potentially exposed personal data of around 147,000 individuals. An investigation revealed that the IBC failed to conduct a privacy impact assessment after changes to its systems, prompting it to strengthen internal processes and training.
11. Radioactive exposure data exposed
The Department of Energy reported that a known but unnamed ransomware group exploited a zero-day vulnerability in a supposedly secure file transfer product used by the Waste Isolation Pilot Plant (WIPP) and Oak Ridge Associated Universities (ORAU). The ransomware group was able to access WIPP and ORAU systems and claimed it had exfiltrated data, potentially involving the details of 34,000 individuals in a health monitoring program for former DOE employees and 66,000 individuals from the Office of Science. The compromised data included names, birthdates, social security numbers, and some health information. Affected individuals were notified and provided with identity monitoring services.
It’s not all bad news, though. Despite a year-on-year increase in security incidents, the OMB audit noted that agencies have improved in adopting cyber defensive measures. Every agency selected an enterprise EDR platform as per OMB directives and expanded its cyber detection capabilities. That resulted in 96 percent of federal civilian executive branch agencies reporting an increase in the “detect” category in In fiscal year 2023, compared to the previous year.