A hacker has released details of Federal Bureau of Investigation (FBI) and Department of Homeland Security (DHS) employees following a successful social engineering attack against the Department of Justice (DoJ).

The files so far released include a DHS Staff Directory that has the name, title, email address, and phone number for some 9,355 employees ranging from security specialists, program analysts, InfoSec and IT, all the way up to director level, and 20,000 similar records from the FBI; the hacker claims to also have a trove of data from the DoJ but at the time of writing has not made this data publicly available.

The unnamed hacker spoke to Motherboard and described how he had used social engineering to gain access to the Department of Justice.

Step one was compromising the email account of a DoJ employee, although the hacker doesn’t detail exactly how this was done; presumably, it was via either a phishing or spear-phishing attack.

Having gained access the email account, the hacker then tried to use the same credentials to log into the DoJ portal but without success, then subsequently called the Department directly and socially engineered the access.

“So I called up, told them I was new and I didn’t understand how to get past [the portal],” the hacker said. “They asked if I had a token code, I said no, they said that’s fine—just use our one.”

Having then gained access, the hacker had full access to the DoJ intranet, including around 1 TB of employee data including military emails, and credit card numbers, but only grabbed 200 GB instead.

“I HAD access to it, I couldn’t take all of the 1TB,” the hacker noted.

Perhaps more disturbingly the hacker confirmed the hack by emailing Motherboard from the compromised account, meaning that not only was the intrusion not detected when it occurred, but the DoJ’s system completely failed to detect it for a significant time afterwards, giving the hacker even more time to do as he pleases with inside the firewall.

“We are looking into the reports of purported disclosure of DHS employee contact information,” a Department of Homeland Security spokesperson said on the reports. “We take these reports very seriously, however, there is no indication at this time that there is any breach of sensitive information.”

Poor form

While it’s true that even with the best security intentions hacks do happen, social engineering attacks don’t hack servers, they hack people, and in this case, extraordinarily poorly trained public employees who were stupid enough to give this hacker access in the first place.

Seriously: the DoJ had a token code system in place to protect its data and a hacker rings a help desk, says he is new, and they given him a token code over the phone?

Incompetence doesn’t come close.

“Heads should roll” might be an overused cliche but it’s an appropriate one here because every employee from the moron who gave the token out over the phone, to his supervisor, and direct line of management heading up the organization chart needs to either resign or be fired, because something is seriously wrong with the Department’s training procedures for this to have occurred to begin with.

Image credit: ajturner/Flickr/CC by 2.0