The Labor Department has several gaps in its cybersecurity protections that could be exploited by hackers, according to a report publicly released Tuesday by its inspector general’s office. Several of the gaps were identified three years ago, the report noted, but the department has done very little to prevent potential data theft.
“In light of recent events involving serious breaches of government data systems, this memorandum highlights three significant deficiencies that have been repeatedly identified in our reports on the Department of Labor’s (DOL) information security program. DOL must make it a high priority to mitigate these serious security vulnerabilities to its information systems,” according to the report, which was dated July 31.
The report follows a massive data breach at the Office of Personal Management earlier this year that resulted in the personal and private data of millions of current and former federal employees becoming available to hackers.
The inspector general’s report indicates that 11 former federal employees were able to access restricted information on the department’s website because they still had active accounts.
The department issues “personal identity verification” cards to all employees and contractors to give them access to the computer systems. The report found “serious control deficiencies” in how the department monitors the PIV cards and the related systems.
“The importance of the PIV-II security program cannot be understated. The program plays a key role in protecting DOL’s infrastructure, including data, other systems, and people from potential harm caused by unauthorized access. Although DOL is now implementing logical access via PIV cards, it will need to ensure all aspects of PIV card issuance and maintenance are properly administered in order to ensure the effectiveness of this control,” the report said.
Other deficiencies noted by the inspector general included a lack of any system to lock out people after multiple unsuccessful log-in attempts and generally outdated system security plans. It also found that the department was lax in monitoring usage and security risks relating the access given to contractors and other outside groups.
The report did note that the department had made attempts to address some of the problems and was currently working on improving the system, but added that it “remained concerned” that its reports continue to note the same problems.
UPDATE: The Labor Department sent the following statement to the Washington Examiner: “The Department of Labor takes seriously the importance of enhancing IT security. So we are pleased that the Inspector General recognizes the Department’s actions to remediate known information security vulnerabilities, protect federal information and assets, improve the resilience of federal networks, and implement multi-factor authentication for all departmental systems.”
