Data Breach with a Twist of Cover-Up
The Washington Post is covering a story about a data breach (or series of breaches) at Department of Homeland Security. According to the article, Unisys was contracted to install network intrusion detection systems on an unclassified network. Unfortunately, the installation might not have been done correctly and/or the devices might not have been monitored, so:
according to evidence gathered by the House Homeland Security Committee, Unisys's failure to properly install and monitor the devices meant that DHS was not aware for at least three months of cyber-intrusions that began in June 2006. Through October of that year, Thompson said, 150 DHS computers -- including one in the Office of Procurement Operations, which handles contract data -- were compromised by hackers, who sent an unknown quantity of information to a Chinese-language Web site that appeared to host hacking tools.
And to compound the problem, there are allegations of a cover-up:
The contractor also allegedly falsely certified that the network had been protected to cover up its lax oversight, according to the committee.
Unisys says a functioning IDS is in place:
A Unisys spokeswoman, Lisa Meyer, said that "no investigative body has notified us formally or informally of a criminal investigation" on the matter and added that she could not comment on specific security incidents.She said that Unisys has provided DHS "with government-certified and accredited security programs and systems, which were in place throughout 2006 and remain so today.
Breaches are bad enough, covering them up is worse. We've known since Nixon that cover-ups don't work if someone really wants to get to the real details of an incident. It would be unjustifiable if someone stuck their head in the sand, claimed the IDS was functioning when it wasn't, and there were additional breaches.
Email This!
Digg it!
Sphere it!
Del.icio.us
Reddit!
Newsvine
