EPA says allegedly breached data was already publicly available

Editor’s note: Stpry updated 3:30 p.m. Eastern with new information from EPA.

The U.S. Environmental Protection Agency (EPA) said there has been no breach of data from the agency following claims made by a threat actors on Sunday. 

The EPA told Recorded Future News on Tuesday that the Cybersecurity and Infrastructure Security Agency (CISA) and FBI confirmed that the data was already publicly available. 

“Additionally, the hacker confirmed they never breached the EPA and that the data was publicly available,” the spokesperson said, directing Recorded Future News to the website where the information can be found and downloaded.   

The website is Facility Registry Service (FRS) — a portal allowing anyone to search all of the facilities that the EPA collects information from.

On Sunday, a hacker in a popular cybercriminal forum offered 3 gigabytes of data allegedly taken from EPA systems. The person behind the post said the information was a contact list of critical infrastructure organizations around the world. 

A preliminary analysis of the data showed that it was “business contact information available to the public to provide a comprehensive picture of environmental impacts,” an EPA spokesperson had said earlier. 

The incident comes after Sen. Chuck Grassley (R-IA) sent a letter to the EPA on Friday questioning whether the agency had fully addressed several cybersecurity issues raised by the Government Accountability Office (GAO) in a 2019 report. 

The GAO made four recommendations to the EPA related to cybersecurity risk management strategies. According to Grassley, two of the recommendations remain open.

The first concerns the need for the EPA to “establish a process for conducting an organization-wide cybersecurity risk assessment,” and the second open recommendation tasks the EPA with “establishing and documenting a process for coordination between cybersecurity risk management and enterprise risk management functions.”