Yet another cyberattack has befallen the American government. This time, the Department of Justice was the main target of the hackers, who got away with the information of nearly 20,000 DoJ employees, according to The Guardian. What's more, the cybercriminals also gained access to data on roughly 9,000 employees of the Department of Homeland Security, posting the information on an encrypted website that The Guardian then investigated.
Thankfully, the information posted by the hackers doesn't seem to be risking the lives of undercover agents. Rather, it would appear the individual or individuals only gained access to personal directories with the names, email addresses and phone numbers of agency personnel. What's more, much of this information seems to be outdated, as some of the people listed in the DHS directory don't work for the agency anymore.
Regardless, this most recent attack shows that the U.S. government has flaws in its current cybersecurity model.
The hack itself isn't the problem
While this is an embarrassing moment for the DoJ and DHS, the information that has been released so far hasn't contained any life-threatening data. The true focus of this story is how the hackers went about actually getting the directories. The Guardian stated that Motherboard, the publication that first reported on the hack, was in contact with the individual reportedly responsible.
After gaining access to a DoJ employee's email account, the hacker told Motherboard that he had trouble getting into their Web portal. Instead of giving up here, the individual called the "relevant department," said he was a new employee and simply asked for access. He was promptly given a token code that would allow him to move past the portal.
In effect, this person sweet talked his or her way into what was supposed to be one of the most secure digital databases in the world.
The issue here isn't that someone has gained access to simple phone numbers and email address. The true problem is that social engineering can be used to bypass what should be intense cybersecurity measures on a governmental level.
Education is the only way to stop social engineering
An organization can have the best cybersecurity system in the world and it can all be rendered useless if employees don't know how to sniff out a social engineering attempt. This isn't to say government workers are naive, but rather that people can often be too trusting when it comes to handing out sensitive information. It's human nature to make life easier for other people, but following this innate instinct can prove detrimental.
The only tried and true method for avoiding social engineering is to educate workers on the perils of trusting someone over the phone or online and to enlist expert help. With more data moving to government cloud computing infrastructures, the importance of keeping account information secret has never been more paramount. These resources can be accessed anywhere at any time with the right login credentials, and freely giving out this data simply isn't an option. Government agencies have too much to lose to forgo social engineering education, and hackers have too much to gain.