washingtonpost.com
Energy Dept. Discloses Data Theft
Victims, Top Officials Were Not Told About 2005 Hacking

Associated Press
Saturday, June 10, 2006

A hacker stole a file containing the names and Social Security numbers of 1,500 people working for the Energy Department's nuclear weapons agency.

But the incident last September, somewhat similar to recent problems at the Department of Veterans Affairs, was not reported to senior officials until two days ago, officials told a congressional hearing yesterday. None of the victims was notified, they said.

The data theft occurred in a computer system at a service center belonging to the National Nuclear Security Administration in Albuquerque, N.M. The file contained information about contract workers throughout the agency's nuclear weapons complex, a department spokesman said.

NNSA Administrator Linton F. Brooks told a House hearing that he learned of the security break late last September but did not inform Energy Secretary Samuel W. Bodman about it. It had occurred earlier that month.

Brooks blamed a misunderstanding for the failure to inform either Bodman or Deputy Energy Secretary Clay Sell about the security breach. The NNSA is a semiautonomous agency within the department, and Brooks said he assumed the DOE's counterintelligence office would have briefed the two senior officials.

"That's hogwash," Rep. Joe Barton (R-Tex.), chairman of the House Energy and Commerce Committee, told Brooks. "You report directly to the secretary. . . . You had a major breach of your own security, and yet you didn't inform the secretary."

Bodman's spokesman Craig Stevens said the secretary is "deeply disturbed by the way this was handled." He said Bodman has asked the department's inspector general to investigate why the security breach was not made known sooner.

Barton called for Brooks's resignation because of his failure to inform Bodman and other senior DOE officials of the security failure.

The Energy and Commerce oversight and investigations subcommittee learned of the security lapse late Thursday, on the eve of its hearing on DOE cyber security, said Rep. Edward Whitfield (R-Ky.), chairman of the panel.

Although the compromised data file was in the NNSA's unclassified computer system -- and not part of a more secure classified network that contains nuclear weapons data -- DOE officials would provide only scant information about the incident during the public hearing.

Brooks said the file contained names, Social Security numbers, birthdates, codes showing where the employees worked and codes showing their security clearances. A majority of the individuals worked for contractors, and the list was compiled as part of their security clearance processing, he said.

Tom Pyke, the DOE official charged with cyber security, said he learned of the incident a few days ago. He said the hacker, who obtained the data file, penetrated a number of security safeguards in obtaining access to the system.

Stevens said Bodman, upon learning of the incident, directed that the individuals affected be immediately told that their information had been compromised.

The Energy Department spends $140 million a year on cyber security, Gregory H. Friedman, the DOE's inspector general, told the committee. But he said that while improvements have been made, "significant weaknesses continue to exist," making the unclassified computer system vulnerable to hackers.

View all comments that have been posted about this article.

© 2006 The Washington Post Company