Hacker steals details of 10,000 US civil servants

The contact information of more than 10,000 employees of the US Department of Justice and the Department of Homeland Security was dumped online this week, with an anonymous pro-Palestinian hacker being blamed for the attack.

Twitter was the destination for the dump, where the hacker pointed users to two files stored on plain-text storage website CryptoBin. The first release on Sunday night contained the names, job titles, work email addresses and phone numbers for nearly 9,000 Homeland Security employees.

The second dump came on Monday, and contained similar details for what appeared to be Federal Bureau of Investigation employees. The hacker had threatened a second dump on Monday, saying a file would be released containing information on 20,000 FBI employees.

A spokesman at the DoJ confirmed the breach, and said it was being investigated, but asserted it wasn't as severe as it seemed, with no evidence information such as dates of birth and social security numbers had been seen or released.

Checks carried out by Vice's Motherboard channel found that much of the data was accurate, though a report by FedScoop said the list looked dated, with a number of officials currently employed by Homeland Security seemingly not included.

The hacker opened the first CryptoBin post with the words: "This is for Palestine, Ramallah, West Bank, Gaza, This is for the child that is searching for an answer". FedScoop noted that, while more muted in tone, the wording was similar to the motives expressed by hackers who broke into the email accounts of CIA director John Brennan and the Director of National Intelligence James Clapper, in October 2015 and January this year respectively.

David Gibson, vice president of strategy and market development at Varonis, called the attack cliche, with the attacker likely phishing an employee, stealing their credentials, scanning the local disk and network drives and downloading the interesting files.

He warned all organisations needed to expect and be prepared for this.

"Employees usually have access to important data - they need it to do their jobs. A single compromised employee account means an attacker can access that same important data, too", Gibson said.

"The more data the employee has access to, the bigger the risk - and unfortunately, most employees have access to far more data than they need to do their jobs", he added.

Gibson said organisations needed to watch and analyse how employees used their data and systems to bolster their detective capabilities, with unusual file and email access being significant red flags.