Labor Department Ignored Cybersecurity Warnings For Years, Says Inspector General

The Department of Labor's inspector general said Tuesday that the department has ignored numerous warnings and still has several gaps in its cybersecurity system, leaving sensitive information vulnerable to hackers.

Some of the gaps were first identified three years ago, the report said. "In light of recent events involving serious breaches of government data systems, this memorandum highlights three significant deficiencies that have been repeatedly identified in our reports on the Department of Labor's (DOL) information security program. DOL must make it a high priority to mitigate these serious security vulnerabilities to its information systems."

The IG noted that the department has on 11 occasions ignored warnings that too many employees have unrestricted access to systems containing sensitive information, The Daily Caller reported.

The IG "has repeatedly recommended DOL improve this important control to prevent unauthorized access to DOL systems and applications," the report said.

Contractors operating the digital systems were told eight times during the same period that they needed to increase scrutiny. They were also told four times that the department's cybersecurity patches aren't updated on a regular basis.

"This trend of recurring deficiencies is indicative of systemic issues that require an overall strengthening of DOL's information security program to prevent future occurrences," the IG said. While the department has made improvements since 2010, "audits continue to identify similar deficiencies in information security," the report said. "Moving forward, DOL needs to focus its efforts on enhancing its information security program to ensure the confidentiality, integrity and availability of its information system and data."

The IG also took issue with the way the department issues and manages "personal identity verification" cards, which are given to all employees and contractors to allow access to computer systems. The report found "serious control deficiencies" in how the cards and related systems are monitored.

"The importance of the PIV-II security program cannot be understated. The program plays a key role in protecting DOL's infrastructure, including data, other systems, and people from potential harm caused by unauthorized access. Although DOL is now implementing logical access via PIV cards, it will need to ensure all aspects of PIV card issuance and maintenance are properly administered in order to ensure the effectiveness of this control," the report said.

The department also lacks a mechanism to automatically lock people out of its systems after multiple unsuccessful log-in attempts and does not effectively monitor usage and security risks associated with contractors.

The report comes in the wake of a massive data breach at the Office of Personnel Management earlier this year, which resulted in hackers obtaining personal and private data of more than 20 million current and former federal employees, The New York Times reported.

The Labor Department began partially following the IG's recommendations after the OPM hack was announced in June.

A similar breach occurred at the United States Postal Service last November, exposing the information of more than 800,000 current and former postal employees.

All three agencies ignored repeated watchdog warnings recommending that they strengthen cybersecurity, according to The Daily Caller.

Tags
Labor Department, Inspector General, Cybersecurity, Hackers, Data Breach, Postal service
Real Time Analytics