"To facilitate its administrative and operational needs, the Department of Energy maintains a substantial amount of personally identifiable information (PII). The Department's Management Information System (MIS) provides a gateway for users to access a system known as the DOE Employee Data Repository (DOEInfo) database. That system was implemented in 1994, and over time has become the central repository for information on the Department's current and former employees, dependents and contractors. Among other data elements, information stored in DOEInfo included name, address, Social Security number, date and place of birth, and banking information. In addition, Homeland Security Presidential Directive 12 badge and position sensitivity information, as well as security questions and answers necessary to request username and password resets, were stored in the database. Over the past several years, MIS has been involved in no less than three cyber security breaches. According to Department officials, neither of the first two incidents, one in May 2011, and the second in January 2012, appeared to result in the loss of personal information. In July 2013, however, hackers exploited a software vulnerability to gain access to MIS and exfiltrated personal information from DOEInfo. Because of the importance of ensuring the security of the Department's systems and sensitive information and at the request of the Chief Information Officer, we commenced a special review into the circumstances surrounding the MIS/DOEInfo breach. During our review, we conducted more than 35 interviews with Federal officials and contractor personnel from most of the Department's programs and staff offices. We also reviewed supporting information pertinent to MIS and DOEInfo and the events surrounding the breach."
Department of Energy, Office of Inspector General, Report No. DOE/IG-0900
U.S. Department of Energy: http://energy.gov/