EPA Breach Impacts 8,000 People

The U.S. Environmental Protection Agency has confirmed an IT security breach through which Social Security numbers, bank routing numbers and other personal data involving nearly 8,000 people were exposed.

According to the agency, all of the impacted individuals have been notified about the database breach, which occurred in March of this year. Most are current agency employees who were involved in various environmental cleanup projects through the Superfund program.

"Vigilantly keeping data secure from increasingly sophisticated cyber threats is a top priority at EPA," a spokesperson for the agency said in a prepared statement. "The agency has already added new safeguards in response to the incident." Specifics of the safeguards were not disclosed.

[Related: The Biggest Data Breaches of 2012 (So Far) ]

Sponsored post

According to a report from the Washington Business Journal, the breach occurred through an email that contained a malicious attachment. The report goes on to quote federal officials who believe that it is unlikely that any of the information was shared with anyone.

Further details were unavailable. An investigation by the EPA is underway.

But, the delay in the disclosure is alarming to Tony Busseri, CEO of Route1, Inc., a Toronto-based security and identity management company whose customers include the Canadian government, the U.S. Department of Defense, the Department of Homeland Security and various other federal agencies.

"Doesn't the government have a responsibility to disclose when such breaches occur?" asked Busseri. "This happened in March, so the time it took to disclose this is just far too long."

"The second aspect of this is that we keep ignoring good practices that will protect our data," Busseri continued. "There's a Homeland Security presidential directive that provides a standard way of authentication for accessing sensitive data by government employees. Based on the latest numbers we've seen, only about 10 percent of the civilian employees of the U.S. government are compliant with the standards. This basically tells us that there is a very poor authentication and identity match around government employees accessing our information. They are making it very easy for the hacker community to take advantage of bad policies and protocols."

NEXT: Strengthening Security

Busseri is calling for acknowledgment that using a basic username and password is insufficient authentication, and the system should be replaced by multifactor authentication.

"We need to follow the policies, stop approving exceptions to those policies, train employees so they understand the need for the restrictions and the importance of security. The government should also stay in touch with the private sector around next-generation tools that will continue to help us hinder the black hat hacker community."

Busseri also recommended that channel partners show stories of such breaches to their customers to help drive home the need for effective security. "A lot of people think that security needs to mean greater cost," he said. "But, that's not true. It merely supports the business models of the large security vendors who have actually been pretty lazy about evolving their technologies to meet the current threats. But, good security can actually save them money."