Written by: John H. Thompson
Earlier this week, the Census Bureau experienced an attack to gain access to the Federal Audit Clearinghouse, which is housed on an externally facing IT system that contains non-confidential information, such as names of the person submitting the information, organization addresses and phone numbers, site user names, etc. While our IT forensics investigation continues, I want to assure you that at this time every indication is that the breach was limited to this database, and that it did not include personally identifiable information provided by people responding to our censuses and surveys.
It appears the database was compromised through a configuration setting that allowed the attacker to gain access to the four files posted to the hacker’s site. The hackers acquired the data illegally, but as I indicated above, the Clearinghouse site does not store any confidential household or business data collected by the Census Bureau. That information remains safe, secure and on an internal network segmented apart from the external site and the affected database. Over the last three days, we have seen no indication that there was any access to internal systems.
The Federal Audit Clearinghouse is used to collect single audit reporting packages from state and local governments, non-profit organizations, and Indian tribes expending Federal awards. The federal awarding agencies use the single audit reports to ensure program compliance. We were in the process of making additional Clearinghouse information available via the Internet next year. Within 90 minutes of learning of the breach, we made the system inaccessible. It will remain offline until we can complete our thorough investigation and take steps to ensure the systems integrity in the future.
However, in light of this breach, we are increasing our efforts to ensure the security of our site.
We continuously scan our systems to look for vulnerabilities. The Census Bureau follows every possible precaution and uses the latest IT security standards to make sure our systems remain secure. In addition, the Department of Homeland Security also runs scans regularly.
Through our surveys and censuses, American taxpayers and businesses entrust the U.S. Census Bureau with their information to produce statistics about our population and economy. The information we collect helps the nation make informed decisions, from transportation projects to social services to businesses and job creation. As you know, we do not take this trust lightly and have a good record of keeping confidential information safe.
The IT security office is continuing its investigation, and they will further strengthen our security systems based on what they learn. I assure you that we will continue to safeguard the information and data of both the public and our employees. Your trust is paramount to our mission.
Updated information (Last updated 12/15/15):
The following survey sites are back online with resumed data collection activities:
- Federal Audit Clearinghouse
- Due dates between 7/22/2015 – 1/31/2016 are extended to 2/01/2016
- To access the Federal Audit Clearinghouse, visit: https://harvester.census.gov/facweb
- Contact: 1-800-253-0696 / firstname.lastname@example.org
- Survey of Sexual Victimization
- To access the 2014 SSV, visit: http://harvester.census.gov/ssv
- Contact: 1-800-253-2078 / email@example.com
- Annual Survey of State Government Finances
- Contact: 301-763-1503 /State Finance and Tax Statistics Branch/ firstname.lastname@example.org with questions
- Contact: 301-763-5635 / email@example.com for details on submitting your data through a secure FTP site
The data collection period has ended for the following survey site, which is no longer available online:
- Public Libraries Survey
Please see our statement for more information:
Census Bureau Statement on IT Security Incident
July 22, 2015 – The U.S. Census Bureau is investigating an IT security incident relating to unauthorized access to non-confidential information on an external system that is not part of the Census Bureau internal network. Access to the external system has been restricted while our IT forensics team investigates.
Security and data stewardship are integral to the Census Bureau mission. We will remain vigilant in continuing to take every necessary precaution to protect all information.
If you have any questions or concerns about how the Census Bureau protects your data, I encourage you to contact our Respondent Advocates, Dave Waddington and Nishea Quash, at firstname.lastname@example.org. Dave and Nishea can explain the many policies and procedures that the Census Bureau uses to ensure America’s data is safe and secure.