The US Department of Transportation (USDOT) is investigating a security breach that exposed the personal information of 237,000 federal employees.
According to a preliminary investigation detailed in an email to Congress and media outlets, the DOT detected a breach to certain systems the department used for administrative functions.
“The preliminary investigation has isolated the breach to certain administrative systems at the Department used for functions such as employee transit benefits processing,” the Department of Transportation said, adding that the incident did not affect any transportation safety systems.
USDOT security breach impacted current and former federal employees
Reuters reported that the breach affected 237,000 federal government employees, including 114,000 current and 123,000 former employees.
The USDOT security breach leaked personal information that might include the federal workers’ names, work email addresses, work phone numbers, work and home addresses, the agency they work for, and SmarTrip and TRANServe Card numbers.
Individuals receive $280 per month for federal employee mass transit commuting costs, with TRANServe encouraging federal employees to use public transport through the reimbursement program.
Meanwhile, federal employees could not access the system, which remains inaccessible during the investigation until it is secured and restored.
Experts from the Cybersecurity and Infrastructure Security Agency (CISA) and the Office of the Chief Information Officer (OCIO) at USDOT were responding to the security breach.
Authorities have not disclosed how hackers gained access to the US Department of Transportation systems or if they have misused the information stolen from federal employees. Details on when the security breach occurred are also unavailable.
Meanwhile, USDOT said it was in the process of notifying federal employees impacted by the security breach. The agency will also provide the victims with credit monitoring services to protect them from identity theft and fraud.
“What is particularly interesting about this particular scenario is that hackers may be able to correlate PII with travel patterns, GPS data, and bank account information as they’re related to benefits processing,” said Debrup Ghosh, Senior Product Manager at Synopsys Software Integrity Group.
“The silver lining, however, is that USDOT was quick in responding and isolating the breach impact.”
Hackers frequently target federal employees
Hackers have frequently targeted federal employees to access the government’s systems. In 2021 alone, hackers breached at least nine federal agencies, including the Federal Bureau of Investigation, hacked at least twice.
“As we approach the 2024 election season, federal employees and agencies will continue to be the target of cyber-attacks,” Ghosh predicted.
Over 22 million individuals, including 4.2 million government workers, were targeted in U.S. Office of Personnel Management (OPM) data breaches in 2014 and 2015, leaking the fingerprints of 5.6 million people.
Similarly, SolarWinds hackers breached the Justice Department and obtained emails from the Energy, Commerce, Treasury, and Homeland Security departments. The security breach affected workers from at least 27 U.S. attorneys’ offices.
Another security breach on Washington, D.C.’s health platform in March 2023 exposed 17 House of Representatives members’ healthcare data and that of their 43 dependants and 585 staffers, and their dependants.
One month before, the U.S. Marshals Service also suffered a ransomware attack affecting sensitive personal information and law enforcement data.
While hackers have upskilled to keep up with advancements in cyber defenses, poor security practices in some federal organizations could be responsible for some security breaches.
For example, the U.S. Government Accountability Office (GAO) has faulted the Transportation Department for failing to address “longstanding cyber issues” after conducting a cybersecurity review program.
Additionally, the US Comptroller General determined that the Transport Department implemented only 67% of the recommendations in the High-Risk List, below the government-wide average of 77%, leaving 177 recommendations pending.
“For years, organizations within both the public and private sectors have been sensitive to the concept of protecting customer and employee data,” said Ghosh. “And yet more needs to be done strategically and tactically to protect sensitive data of these groups, including personally identifiable information (PII).”
He noted that attacks have increased sophistication and target multiple vectors from various sources “to generate novel insights about federal employees.”
“As such, a proactive, defensive security strategy must incorporate evolving attack strategies and vectors into threat models for software systems that store information relating to government employees to ensure attackers aren’t successful in their efforts,” Ghosh concluded.