@
ElwoodBlues A ransomware attack targeted network file shares on a system owned and operated by a contractor working with the department’s Centers for Medicare and Medicaid Services (CMS). This resulted in the exposure of personal data for 2.8 million individuals, 1.3 million of them deceased. The compromised information included names, addresses, dates of birth, Medicare identifiers, and bank details. As a result of the incident, CMS moved the systems in-house and offered victims free credit monitoring.
In another major incident involving HHS, attackers targeted two contractors using a zero-day vulnerability to access systems containing HHS data. There was no sign that HHS systems were compromised, but the compromise of the contractors’ systems potentially exposed the personal information of 1.88 million individuals held for agencies including the Centers for Disease Control and Prevention, the National Institutes of Health, and CMS. This included names, social security numbers, email addresses, phone numbers, dates of birth, medical diagnoses, and other information.
In February 2023, ransomware hit a computer system at the United States Marshals Service (USMS) containing personal information on staff and those involved in legal processes, forcing the USMS to build a new system and restore from backup. Affected individuals were notified and offered free credit monitoring.
Another ransomware incident, this time in May 2023, hit systems at a vendor providing data analytics support for specific cases for the Department of Justice’s Civil Division and some US Attorneys’ offices. This attack compromised personal and medical data. A third-part incident response service was called to investigate and clean up, and individuals affected were offered credit monitoring services.
In an unforced error, the Internal Revenue Service (IRS) inadvertently exposed personal information that it had already exposed the previous fiscal year. The IRS is supposed to disclose 501(c)3 organizations’ miscellaneous income by publishing redacted versions of their Exempt Organization Business Income Tax Return (990-T) forms. It hired a contractor to help automate this process, but a coding error led to the forms of all 501(c) organizations being exposed until the error was reported in August 2022. Although the data was promptly removed from the public web server, it was inadvertently published again from a staging server in the following fiscal year.
The OMB made a big deal of one incident involving a bad actor gaining access to the login credentials of just one employee for just 15 hours — maybe because that person worked for the Office of the Inspector General (OIG), which has full access to all records and materials available to the Treasury Department, determines which of them to audit or investigate, and writes the reports. Due to the OIG’s defense in depth, the nation-state sponsored actor behind the attack was unable to access any information resources nor introduce any malware during the time they had access. The Treasury Department updated its multi-factor authentication policies, validated software configurations, and subjected staff to awareness training to prevent a reoccurrence.
The US Office of Personnel Management (OPM) reported a major incident involving a zero-day vulnerability in a file transfer application — likely the MOVEit hack, although it was not explicitly named — used by a contractor supporting the Federal Employee Viewpoint Survey (FEVS). The breach compromised government email addresses, unique survey links, and OPM tracking codes for about 632,000 employees at the Departments of Justice and Defense. In response, OPM stopped transferring FEVS data to the contractor, deactivated the survey links, assessed the harm, and notified affected individuals. The assessment found no evidence of unauthorized access or manipulation of survey results.
A Consumer Financial Protection Bureau employee — no longer with the agency, naturally — sent to their personal email account 14 emails containing personal information and two spreadsheets with details of around 256,000 customers of one single financial institution. The former employee ignored demands from CFPB to delete the emails and send proof of deletion. The official assessment indicated the data couldn’t be used for account access or identity theft, but some affected individuals were notified just in case. In addition, the CFPB strengthened technical controls to prevent inadvertent breaches, reminded all staff and contractors of its privacy policies, and reviewed all its information management procedures.
Federal employees benefitting from the TRANServe initiative may have regretted their decision to take the train. Approximately 237,000 of them were potentially affected when attackers breached several administrative systems and stole personal data from the Parking and Transit Benefit System (PTBS), which administers incentives to federal employees to take mass transportation to work. The attackers exploited an unpatched critical vulnerability in an unnamed commercial web application development platform, obtaining names, home and work addresses, and the last four digits of social security numbers. The Department of Transportation rebuilt affected servers with patched software, and offered credit monitoring services to staff.
An authorized developer at the Interior Department’s Interior Business Center (IBC) modified a payroll system’s security policy, inadvertently allowing HR personnel to view 36 federal agencies’ employee records. This potentially exposed personal data of around 147,000 individuals. An investigation revealed that the IBC failed to conduct a privacy impact assessment after changes to its systems, prompting it to strengthen internal processes and training.
The Department of Energy reported that a known but unnamed ransomware group exploited a zero-day vulnerability in a supposedly secure file transfer product used by the Waste Isolation Pilot Plant (WIPP) and Oak Ridge Associated Universities (ORAU). The ransomware group was able to access WIPP and ORAU systems and claimed it had exfiltrated data, potentially involving the details of 34,000 individuals in a health monitoring program for former DOE employees and 66,000 individuals from the Office of Science. The compromised data included names, birthdates, social security numbers, and some health information. Affected individuals were notified and provided with identity monitoring services.
