The U.S. Environmental Protection Agency (EPA) said it is investigating attempts by a hacker to sell information allegedly obtained from the organization’s systems.
On Sunday, a hacker in a popular cybercriminal forum offered 3 gigabytes of data allegedly taken from EPA systems. The person behind the post said the information was a contact list of critical infrastructure organizations around the world.
An EPA spokesperson told Recorded Future news that the agency conducted a preliminary analysis of the data and it appears that it is “business contact information available to the public to provide a comprehensive picture of environmental impacts.”
“EPA is continuing its investigation into this matter,” the spokesperson said. The EPA did not respond to follow up questions about where the data could be found publicly.
The data set included names, email addresses, phone numbers, job titles and company names.
The incident comes after Sen. Chuck Grassley (R-IA) sent a letter to the EPA on Friday questioning whether the agency had fully addressed several cybersecurity issues raised by the Government Accountability Office (GAO) in a 2019 report.
The GAO made four recommendations to the EPA related to cybersecurity risk management strategies. According to Grassley, two of the recommendations remain open.
The first concerns the need for the EPA to “establish a process for conducting an organization-wide cybersecurity risk assessment,” and the second open recommendation tasks the EPA with “establishing and documenting a process for coordination between cybersecurity risk management and enterprise risk management functions.”
Recorded Future
Intelligence Cloud.