Hackers claiming to be affiliated with Anonymous, a loosely associated international network of activist and hacktivist entities, broke into a Census Bureau network and infiltrated information on users and administrators for non-confidential bureau databases. The group tweeted about the attack and, shortly after, began posting links to troves of data and documents it had obtained. The hack was discovered on July 22, 2015, at which time the sites were taken down for investigation.
“Earlier this week, the Census Bureau experienced an attack to gain access to the Federal Audit Clearinghouse, which is housed on an externally facing IT system that contains non-confidential information, such as names of the persons submitting the information, organization addresses and phone numbers, site user names, etc.,” Census Bureau Director John H. Thompson wrote in a blog post. “While our IT forensics investigation continues, I want to assure you that at this time every indication is that the breach was limited to this database and that it did not include personally identifiable information provided by people responding to our censuses and surveys.”
The Federal Audit Clearinghouse collects audit data from state and local governments, non-profit organizations and Indian tribes on how they’re spending federal awards. The hackers pulled down information on thousands of users, including emails, phone numbers, addresses, usernames and password hashes. The data includes information on Census and other federal employees, as well as members of organizations with user accounts for submitting audits to the site. The four files were then posted on paste sites openly available on the web.
Nonprofit organizations generally have 30 days from the completion of their audits (or an absolute maximum of 9 months from their fiscal year end) to file their required reports with the Clearinghouse or they risk losing their “low risk” auditee status. Organizations that do not qualify as “low risk” potentially have to have additional compliance work performed by their external auditors to remain in good standing with regard to their federal funding.
As a result of the breach, the Clearinghouse has remained offline as additional IT security measures are implemented. A message posted at the website provides extensions for organizations looking to file their reports during the periods of 7/22 – 9/30/15 until 10/31/2015. There is no outward communication as to when the site will be functional again.
The hack comes after the U.S. Office of Personnel Management (OPM) disclosed in April and May that it was the victim of two massive data breaches that compromised the personal data of more than 22 million people. Fallout from the breaches led to the resignation of Katherine Archuleta as OPM chief.
According to the hackers who posted the files on the paste sites, Anonymous attacked the Census Bureau in protest of the proposed Transatlantic Trade and Investment Partnership between the U.S. and the European Union and the Trans-Pacific Partnership with countries from North America and the Pacific Rim.