The personal information of CIA Director John Brennan, Department of Homeland Security Secretary Jeh Johnson, and 19 other current and former intelligence officials has been dumped online by a hacker who says he is an American high school student motivated by anger at the killing of Palestinians.
The CIA and DHS declined to comment on the authenticity of the data, which includes personal email and telephone contact information, Social Security numbers and dates of birth, but other people named in the dump confirmed to FedScoop that the data about them was genuine.
The data is in the form of a list that Brennan apparently compiled in 2008 of volunteers for the Obama transition who required access to secure government offices.
The hackers, who call themselves “Crackas With Attitude,” said on Twitter they obtained the list by gaining control of Brennan’s personal email account. That account, with AOL, was deleted Friday, the hackers said.
“Even encrypted email is only as secure as the weakest link,” former DHS Secretary Michael Chertoff told FedScoop. “If someone can get your password” they can probably get around any reasonable security precautions you might have in place. If the attacker used “social engineering” as they claimed, Chertoff added, “that is an issue for the companies that manage these services … That is a training issue for them.”
One of the hackers told the New York Post in a telephone interview that he was a “stoner” high school student who had successfully tricked employees at Verizon and AOL into handing over control of Brennan’s account.
He told the paper he was motivated by anger at the killings of Palestinians in the Israeli-occupied territories.
“We are not doing this for personal satisfaction, we are doing this because innocent people in Palestine are being killed daily,” the hackers later tweeted.
The hackers also said on Twitter they had hijacked Johnson’s Comcast account, and posted screen shots of themselves exchanging messages with his wife, as well as details of his home address and phone numbers, the IP addresses of his home router and information about the car driven by his son.
“We are aware of the media reports,” a DHS spokesman emailed, “However as a matter of policy, we do not comment on the Secretary’s personal security.”
The CIA also declined to comment, beyond saying that they were “aware of the reports that have surfaced on social media and have referred the matter to the appropriate authorities.”
Would-be visitors to the hackers’ Twitter account Monday afternoon found a notice that the account had been suspended, effectively deleting the dumped data. But the incident underlines the vulnerability of the personal email accounts of senior officials and the possibility that, especially during transition planning, when .gov emails aren’t available, sensitive material might be transmitted over private accounts.
“You don’t have many options at that point,” said a former national security official who worked on the 2008 transition.
“This is a symptom of a broader problem,” added Chertoff, “It’s not just officials: Business executives, lawyers, all kinds of people have to handle sensitive information … We should all be mindful of our personal security.”
He noted that information made public on social media, for instance, “can be used in social engineering.”
“It’s a lesson we all have to learn,” he concluded.