DOE nuke agency hacked in Sept.

Senior officials just told last week about hacker who penetrated multiple security levels, took 1,500 SSNs.
Written by ZDNet UK, Contributor

While the VA data breach is still on high boil, Energy Dept. officials revealed Friday that the names and Social Security numbers of 1,500 people. While the breach actually happened in September, top officials just learned about the breach last week, the AP reports.

The data theft occurred in a computer system at a service center belonging to the National Nuclear Security Administration in Albuquerque, N.M. The file contained information about contract workers throughout the agency's nuclear weapons complex, a department spokesman said.

NNSA Administrator Linton Brooks told a House hearing that he learned of the security breach late last September, but did not inform Energy Secretary Samuel Bodman about it. It had occurred earlier that month.

Brooks got a rough reception when he told a Congressional hearing that a "misunderstanding" was the reason for the delay. Indeed, Rep. Joe Barton called for Brook's resignation.

"That's hogwash," Rep. Joe Barton, chairman of the Energy and Commerce Committee, told Brooks. "You report directly to the secretary. You meet with him or the deputy every day. ... You had a major breach of your own security and yet you didn't inform the secretary."

No attempt has been made to alert those whose data was compromised. Bodman directed that the individuals be informed immediately. Tom Pyke, DOE's official charged with cybersecurity, said the hacker, who obtained the data file, penetrated a number of security safeguards in obtaining access to the system.

The Energy Department spends $140 million a year on cybersecurity, Gregory Friedman, the DOE's inspector general, told the committee. But, obviously, "significant weaknesses continue to exist," as Friedman said.

Last fall, a so-called "Red Team" of DOE computer specialists - seeking to test the security safeguards - succeeded in hacking into and gaining control of a DOE facility's computer system, the panel was told.

"We had access to sensitive data including financial and personal data.... We basically had domain control," said Glenn Podonsky, director of DOE's Security and Safety Performance Assessment. "We were able to get passwords, go from one account to another."

Editorial standards