The FBI and Secret Service are investigating reports that non-government email accounts associated with CIA Director John Brennan as well as Department of Homeland Security Secretary Jeh Johnson were hacked, law enforcement officials told CNN.
The New York Post interviewed the alleged hacker, who said he accessed an AOL account associated with Brennan that included files regarding his security clearance application, and the hacker also claims to have accessed a Comcast account associated with Johnson.
The CIA issued a statement Monday saying they are aware of the report. A DHS spokesman also issued a statement saying, “We don’t discuss the Secretary’s security information. We have forwarded this matter to the appropriate authorities.” The FBI declined to comment.
It does not appear that any classified information was accessed, according to a law enforcement official.
The reports highlight the sensitivity of government officials using personal email addresses whether or not they use them for government purposes, an issue thrust into the spotlight in part by Hillary Clinton’s use of private email when she was secretary of state.
While much of the controversy over Clinton’s email use stems from the fact that she used the account for work purposes — there has also been concern about officials using personal email for non-government purposes but on company computers.
The problem is that private email addresses make easy targets.
Johnson apologized over the summer for getting a waiver to use personal email on government computers at the Department of Homeland Security — the civilian agency tasked largely with leading the federal government’s cybersecurity efforts. He called it a “whoops” moment and extended an existing ban to cover top officials who had sought waivers for their email access.
The concern with personal email is that it can be relatively easy for hackers to target and exists outside the protections on .gov email addresses managed by the government.
In fact, the hacker told The New York Post that he used a stunningly simple tactic to allegedly hack Brennan’s account.
The process, called “social engineering,” involves collecting information on a person that is publicly available and using it to personalize an attack on their accounts. In this case, the alleged hacker told the Post he tricked Verizon employees into giving him Brennan’s information and got AOL to reset his password, presumably sending the reset to the hacker.
The tactic, taking advantage of call centers, has been documented by several in the security community as a relatively easy and dangerous hacking technique.
In another form of social engineering, a hacker in 2008 broke into the email account of former vice presidential candidate Sarah Palin by answering her simple security questions, including her birthday and zip code.
And there are other ways personal email addresses can be a risk, including malicious software spread by links in unsophisticated spam.
Though in this case it doesn’t appear any classified information was housed on the officials’ accounts, the hacker claims to have accessed Brennan’s 47-page application for his security clearance, which includes countless personal details, and to have accessed Johnson’s billing page and voicemails.
The hacker told the Post he was a high school student who is critical of U.S. foreign policy and a supporter of Palestine.