In addition to the standard two forms of identification, offer letter and contact information, new hires at the U.S. Department of Education are required to bring along a certificate of completion for cybersecurity training course.
A recent internal investigation shows why that training is probably a pretty good idea.
In a previously undisclosed probe into a 2011 “spear phishing” campaign, hackers targeted senior staff and managed to break through the department’s security protections to steal data from the department.
Much about the incident, which was described in documents released through a Freedom of Information Act request by Federal Times, remains classified, including how much data and what sort of information hackers took.
One of the hackers used an email address — arne.duncan[at]ymail.com – to infiltrate the department’s security protections.
You can read for yourself the summary of the investigation by the technology crimes division of the department’s Inspector General, which passed along its findings to the FBI. That memo can be found here.
Federal Times recently reported on the incident, but the Education Department declined to comment. Still, there’s a lesson in all of this. Even if the name on an email address seems familiar, government employees ought to make sure the sender’s address is legitimate.
And call the IT department if you’re unsure.