The department "takes this very seriously and is continuing to deploy protection and defensive measures to safeguard information. Any activity that is determined to be criminal in nature will be referred to law enforcement for investigation," the DOJ email said.
There was some initial speculation that the information about the DHS employees might include Social Security numbers or perhaps credit card numbers; however, that does not appear to be the case. In addition, while most email addresses were listed, there was no information regarding passwords, financial information or even locations for the DHS data.
Now that the data is on the Internet, the next question is, how did this happen? Perhaps more important, what was DHS employee information doing on a computer in the Justice Department? For that matter, what was FBI employee data doing on that computer?
It's highly unlikely that anyone at DOJ will discuss what they were doing with a list of DHS employees. It's equally unlikely that the agency will explain the existence of an FBI employee list on an unsecured computer.
But, thanks to the braggadocio of the hackers, we have an idea how the data was breached, although not how they targeted the person they chose. Sadly, they apparently got into the account simply by calling the help desk and asking for access by posing as a user locked out of his or her account.
Apparently, the hackers weren't able to get past a requirement for a security key and called the help desk. The help desk asked if they were new and then provided them a key. Yes, just like that.
"They social-engineered the internal IT," said Stu Sjouwerman, founder and CEO of security awareness training company KnowBe4. "The help desk is most prone to social engineering because they get rewarded for helping."
Sjouwerman said that his company just completed a study showing that the help desk and human resources are among the most vulnerable areas because their mission is to help users and that can mean also helping hackers inadvertently. He noted that this doesn't explain how such sensitive information happened to be on the computer that was breached. "The fact that there is a full list of everyone's personal data is just unconscionable," he said.
The success of this social-engineering ploy is no shock, Sjouwerman said. "It isn't surprising, but it should be," he said. "You'd assume after major government hacks, everyone would be thinking three times before they gave out this type of information."
This is one instance in which security awareness training is a critical factor that's missing from whomever gave out the access information. "Obviously, stepping people through effective security awareness training is necessary," Sjouwerman said. But he cautioned, "Exposing them to death by PowerPoint just doesn't cut it" as an adequate security training strategy.
Part of the problem is that people confuse compliance with security, Sjouwerman explained. He added that it's critical to sell internal security to all employees, but especially those who will be on the front lines of support. "You need to sell an internal security culture," he said.