“Cloud Security Under Scrutiny: Federal Agency Hacked by Government Watchdog”

A U.S. government watchdog stole more than one gigabyte of seemingly sensitive personal data from the cloud systems of the U.S. Department of the Interior. The good news: The data was fake and part of a series of tests to check whether the Department’s cloud infrastructure was secure. The experiment is detailed in a new report by the Department of the Interior’s Office of the Inspector General (OIG), published last week. The tests were conducted between March 2022 and June 2023, the OIG wrote in the report. The Department of the Interior manages the country’s federal land, national parks and a budget of billions of dollars, and hosts a significant amount of data in the cloud.

A recent report by the Office of the Inspector General (OIG) for the Department of the Interior has revealed a startling security breach within the US government. In a controlled experiment, the OIG was able to successfully steal over one gigabyte of personal data from the Department’s cloud systems.

The OIG’s goal was to test the security measures of the Department’s cloud infrastructure, specifically its data loss prevention solution. This software is designed to protect the department’s most sensitive data from cyber attacks by malicious hackers. The testing was conducted over a period of several months in early 2022 to mid-2023, as outlined in the report.

The Department of the Interior plays a vital role in managing federal land, national parks, and a multi-billion dollar budget. As such, it hosts a significant amount of data in the cloud.

In order to assess the effectiveness of the Department’s security measures, the OIG utilized a tool called Mockaroo to generate fake personal data that mimicked valid information. This data was then used to imitate a sophisticated cyber threat inside the department’s cloud environment. The team employed well-known and widely documented techniques to successfully exfiltrate data from the system.

The report stated, “We used the virtual machine as-is and did not install any tools, software, or malware that would make it easier to exfiltrate data from the subject system.”

Despite conducting over 100 tests in a week and closely monitoring computer logs and incident tracker systems, the OIG was able to breach the department’s defenses without being detected or prevented.

The OIG’s report revealed significant weaknesses in the Department’s cyber security practices, highlighting the lack of necessary controls to protect sensitive data from unauthorized access. These vulnerabilities put tens of thousands of federal employees at risk.

The OIG acknowledged that it may be difficult to prevent a well-resourced adversary from breaking in, but improvements can be made to prevent the exfiltration of sensitive data. The report includes recommendations for the Department of the Interior to strengthen its systems and defenses.

It’s important to note that this “data breach” was conducted in a controlled environment by the OIG, not by a sophisticated government hacking group from China or Russia. This gives the Department the opportunity to address the identified vulnerabilities and improve its security measures.

In a similar effort last year, the OIG spent $15,000 to build a custom password cracking rig to test the strength of the department’s employees’ passwords. These steps taken by the OIG highlight the need for constant monitoring and regular testing of cyber security measures to protect sensitive data.

Avatar photo
Zara Khan

Zara Khan is a seasoned investigative journalist with a focus on social justice issues. She has won numerous awards for her groundbreaking reporting and has a reputation for fearlessly exposing wrongdoing.

Articles: 806

Leave a Reply

Your email address will not be published. Required fields are marked *