A US government watchdog stole more than a gigabyte of apparently sensitive personal data from the US Department of the Interior’s cloud systems. The good news: The data was fake and part of a series of tests to test whether the Department’s cloud infrastructure was secure.
The experiment is described in detail in new report by the Interior Office of the Inspector General (OIG), published last week.
The aim of the report was to test the security of the Home Office’s cloud infrastructure, as well as its “data loss prevention solution”, software that is supposed to protect the department’s most sensitive data from malicious hackers. The tests were conducted between March 2022 and June 2023, the OIG wrote in the report.
The Department of the Interior manages federal land, national parks and a multibillion-dollar national budget, and hosts a significant amount of data in the cloud.
According to the report, to check whether the Department of the Interior’s cloud infrastructure was secure, the OIG used an online tool called Mockaroo to create fake personal data that “will appear valid to the Department’s security tools.”
The OIG team then used a virtual machine within the Department’s cloud environment to emulate “a sophisticated threat actor” within its network and then used “well-known and widely documented techniques to extract data.”
“We used the virtual machine as is and did not install any tools, software, or malware that would facilitate data extraction from the subject system,” the report states.
The OIG said it conducted more than 100 tests in a week, monitoring the government department’s “computer logs and event tracking systems” in real time, and none of its tests were detected or thwarted by the department’s cybersecurity defenses. .
“Our tests failed because the Department failed to implement security measures capable of either preventing or detecting known and widely used techniques used by malicious actors to steal sensitive data,” the OIG report said. “In the years the system has been hosted in the cloud, the Department has never conducted regularly required testing of the system’s controls to protect sensitive data from unauthorized access.”
Here’s the bad news: Weaknesses in the Department’s systems and practices “raise sensitivity [personal information] for tens of thousands of federal employees at risk of unauthorized access,” the report said. The OIG also acknowledged that it may be impossible to stop a “well-resourced adversary” from breaking in, but with some improvements, it may be possible to stop that adversary from penetrating sensitive data.
This test “data breach” was done in a controlled environment by the OIG and not by a sophisticated government hacking group from China or Russia. This gives the Home Office an opportunity to improve its systems and defences, following a number of recommendations set out in the report.
Last year, the Interior Department’s OIG built a custom $15,000 password-cracking platform as part of an effort to test the passwords of thousands of department employees.
