A virus in an email attachment, possibly on a contractor’s computer, was the cause of an Environmental Protection Agency (EPA) security breach that affected nearly 8,000 users.
The compromised servers contained data related to the Superfund program, the hazardous-waste cleanup effort mandated in 1980. Contractors almost entirely mange the Superfund program, according to a published report. The breach occurred in March.
The data, including Social Security numbers, bank account information and home addresses, ended up compromised after someone opened an email attachment with a virus on a computer with access privileges to the breached servers, according to reports.
The EPA did not confirm the computer belonged to a contractor, but did say the agency heavily relies on contractors to provide IT services.
“Vigilantly keeping data secure from increasingly sophisticated cyber threats is a top priority at EPA and throughout the public and private sectors. The agency has already added new safeguards in response to this incident,” an EPA statement said.
Technology and policy are both critical to the success of a security effort, along with education and training, security experts said.
“We cannot just have policy-based approaches to cyber security – it has to be technology-based, too,” said Tony Busseri, chief executive of Route1, an IT security firm. “If we rely upon the human condition – i.e., we expect someone to adhere to a policy – and that’s the only protection we have, we’re going to have failure. By nature people are prone to making errors.”
If a contractor was remotely accessing the servers they may have suffered exposure to malware and/or viruses on the contractor’s computer, Busseri said.
“We should be using technology that is principled around minimizing vulnerabilities and risk,” Busseri said. “Then you educate the user on using that technology.”