Systems breach

US Census Bureau Disputes IG Report on Security Breach Caused by Hired Hackers

The U.S. Census Bureau has disputed a report from its inspector general regarding an unauthorized access incident during a red team exercise.

According to the Census Bureau’s IG Office, the agency hired red team hackers who then gained unauthorized access to its systems. Red teams are supposed to be authorized hackers who would help organizations identify vulnerabilities in their networks and systems.

The redacted IG report revealed that the red team was able to access the bureau’s domain administrator account undetected and was able to obtain access to employees’ personally identifiable information. The hackers were also able to reduce the agency’s defensive options, use insecure programs to send fake emails through a .gov email and perform several malicious actions that identified 11 security weaknesses, The Record reported.

In response to the IG’s findings, a Census Bureau spokesperson said the security firm it hired as a red team was not able to access systems or sensitive information on its own. The spokesperson said it gave the hackers special internal access to assess potential areas of improvement and added that the firm’s members were vetted in advance.

Furthermore, the spokesperson said the hacking team was able to identify areas of improvement, and the bureau is already taking action to improve its network.

The OIG recommends that the Census Bureau implement periodic reviews, verify that Active Directory permissions are protected from common attacks and further limit employee access to systems. The bureau is also urged to, among others, implement advanced authentication security controls, develop an alert system and verify protection against the discovered vulnerabilities.

The oversight body also said the agency needs to continue removing legacy code from its systems and create an action plan to correct the identified issues with the red team incident.