DOE computers hacked; info on 1,500 taken
By H. JOSEF HEBERT, Associated Press Writer
A hacker stole a file containing the names and Social Security numbers
of 1,500 people working for the Energy Department's nuclear weapons
agency.
But in the incident last September, somewhat similar to recent
problems at the Veterans Affairs Department, senior officials were
informed only two days ago, officials told a congressional hearing
Friday. None of the victims was notified, they said.
The data theft occurred in a computer system at a service center
belonging to the National Nuclear Security Administration in
Albuquerque, N.M. The file contained information about contract
workers throughout the agency's nuclear weapons complex, a department
spokesman said.
NNSA Administrator Linton Brooks told a House hearing that he learned
of the security break late last September, but did not inform Energy
Secretary Samuel Bodman about it. It had occurred earlier that month.
Brooks blamed a misunderstanding for the failure to inform either
Bodman or Deputy Energy Secretary Clay Sell about the security
breach. Brooks' NNSA is a semiautonomous agency within the department
and he said he assumed DOE's counterintelligence office would have
briefed the two senior officials.
"That's hogwash," Rep. Joe Barton (news, bio, voting record), chairman
of the Energy and Commerce Committee, told Brooks. "You report
directly to the secretary. You meet with him or the deputy every
day. ... You had a major breach of your own security and yet you
didn't inform the secretary."
Bodman first learned of the theft two days ago, according to his
spokesman, Craig Stevens.
"He's deeply disturbed by the way this was handled," Stevens said. He
said Bodman has asked the department inspector general to investigate
why the security breach was not made known sooner.
Barton, R-Texas, called for Brooks' resignation because of his failure
to inform Bodman and other senior DOE officials of the security
failure.
The House Energy and Commerce oversight and investigations
subcommittee learned of the security lapse late Thursday, on the eve
of its hearing on DOE cyber security, said Rep. Ed Whitfield, R-Ky.,
chairman of the panel.
The issue dominated lawmakers' questioning of DOE officials at the
hearing. After an open session, the subcommittee continued
questioning Brooks and other officials about it at a closed session
because of the security implications.
Although the compromised data file was in the NNSA's unclassified
computer system -- and not part of a more secure classified network
that contains nuclear weapons data -- the DOE officials would provide
only scant information about the incident during the public hearing.
Brooks said the file contained names, Social Security numbers,
date-of-birth information, a code where the employees worked and codes
showing their security clearances. A majority of the individuals
worked for contractors and the list was compiled as part of their
security clearance processing, he said.
Tom Pyke, DOE's official charged with cyber security, said he learned
of the incident only a few days ago. He said the hacker, who obtained
the data file, penetrated a number of security safeguards in obtaining
access to the system.
Stevens said Bodman, upon learning of the incident, directed that the
individuals be immediately told their information had been
compromised.
Brooks acknowledged that no attempt was made to notify the individuals
until now. He declined to elaborate because of security concerns, but
indicated he could tell the lawmakers more in the closed session.
"If somebody got that information from your file, wouldn't you be a
little concerned if nobody told you?" Rep. Diane DeGette, D-Colo.,
asked Brooks.
"Of course I would," he replied.
The Energy Department spends $140 million a year on cyber security,
Gregory Friedman, the DOE's inspector general, told the committee. But
he said that while improvements have been made, "significant
weaknesses continue to exist," making the unclassified computer system
vulnerable to hackers.
Last fall, a so-called "Red Team" of DOE computer specialists --
seeking to test the security safeguards -- succeeded in hacking into
and gaining control of a DOE facility's computer system, the panel was
told.
"We had access to sensitive data including financial and personal
data ... we basically had domain control," said Glenn Podonsky,
director of DOE's Security and Safety Performance Assessment. "We were
able to get passwords, go from one account to another."
Podonsky did not name the facility.
But in response to questioning, he said that during the test it was
learned that an actual penetration of a DOE computer system had
occurred, leading to the theft of the files containing information
about the 1,500 contract workers.
On the Net:
Energy Department: http://www.energy.gov
National Nuclear Security Administration: http://www.nnsa.doe.gov
Copyright 2006 The Associated Press.
[TELECOM Digest Editor's Note: So what else is old news? Theft of
personal data from computers is getting to be an old story. PAT]
H. Josef Hebert (ap@telecom-digest.org)