Subscribe to the Free Print Edition!
Celebrating 25 Years

GCN Home > 06/19/06 issue

Energy ups security efforts after loss of employee data

Latest federal breach highlights a growing security problem

By Patience Wait, GCN Staff

The Energy Department has joined a long list of federal agencies that recently have suffered serious breaches of cybersecurity. Unlike those organizations, however, the DOE breach was the result of a targeted intrusion and theft, rather than carelessness.

“This is the tip of a much bigger iceberg,” said Alan Paller, director of research at the SANS Institute of Bethesda, Md. “This is an example of the kind of attack and extraction that was going on for the last 2 1/2 years” during Titan Rain, an organized series of cyberattacks believed to have originated in China.

Breaking in
At DOE, hackers stole personal information on 1,502 employees— both government and contract workers—from an unclassi- fied system belonging to the National Nuclear Security Administration, a semiautonomous agency within DOE.

The theft occurred in June 2004 at NNSA’s Albuquerque service center at Kirtland Air Force Base, but officials did not discover it until August or September 2005, according to the Albuquerque Journal, when a DOE cybersecurity team turned up evidence of “an unusual data transmission.”

And NNSA officials did not notify Energy secretary Samuel Bodman of the data theft until two days before a hearing earlier this month of the Energy and Commerce Subcommittee on Oversight and Investigations, nor did the agency begin notifying affected personnel until the day of the hearing.

Rep. Joe Barton (R-Texas), chairman of the full committee, was so angry about NNSA’s handling of the incident that he told Linton Brooks, the NNSA administrator, he should resign or be fired.

The news follows on the heels of the Veterans Affairs Department reporting last month that a notebook PC and hard drive had been stolen from an employee’s home. The hardware contained records on more than 26 million veterans and activeduty service personnel, including names, dates of birth, Social Security numbers and other personal information; the data was not encrypted.

The IRS also reported that an employee traveling to an agency event lost a notebook in transit. The computer contained personal information, including fingerprints, names, birth dates and Social Security numbers of 291 IRS employees and job applicants that was secured with a double password system, but not encrypted.

More news on related topics: IT Security, Management, IT Management



GCN Popup