The Labor Department has gaps in its cyber security protections that could end up exploited by hackers, according to a report released by its inspector general’s office.
The problem is several of the gaps ended up identified three years ago, but the department has done very little to prevent potential data theft, the report said.
“In light of recent events involving serious breaches of government data systems, this memorandum highlights three significant deficiencies that have been repeatedly identified in our reports on the Department of Labor’s (DoL) information security program. DoL must make it a high priority to mitigate these serious security vulnerabilities to its information systems,” according to the report.
The report follows a massive data breach at the Office of Personal Management (OPM) that resulted in the personal and private data of millions of current and former federal employees becoming available to hackers.
The inspector general’s report found 11 former federal employees were able to access restricted information on the department’s website because they still had active accounts.
The department issues “personal identity verification” (PIV) cards to all employees and contractors to give them access to the computer systems. The report found “serious control deficiencies” in how the department monitors the PIV cards and the related systems.
“The importance of the PIV-II security program cannot be understated,” the report said. “The program plays a key role in protecting DOL’s infrastructure, including data, other systems, and people from potential harm caused by unauthorized access. Although DoL is now implementing logical access via PIV cards, it will need to ensure all aspects of PIV card issuance and maintenance are properly administered in order to ensure the effectiveness of this control.”
Other deficiencies noted by the inspector general included a lack of any system to lock out people after multiple unsuccessful log-in attempts and generally outdated system security plans. It also found the department was lax in monitoring usage and security risks relating the access given to contractors and other outside groups.
The report did note the department had made attempts to address some of the problems and was currently working on improving the system, but added that it “remained concerned” that its reports continue to note the same problems.
Click here to view a copy of the report.