National Nuclear Security Administration Screws Its Employees

Apparantly, the NNSA had posted lots of its human resources data on an internet-exposed system and someone figured out how to access it. So its possible that the social security numbers and other personal data of about 1500 employees and contractors was stolen to be used in identity theft.

From the WaPo here:

WASHINGTON (Reuters) – A computer hacker got into the U.S. agency that guards the country’s nuclear weapons stockpile and stole the personal records of at least 1,500 employees and contractors, a senior U.S. lawmaker said on Friday.

The target of the hacker, the National Nuclear Safety Administration, is the latest agency to reveal that sensitive private information about government workers was stolen.

The incident happened last September but top Energy Department officials were not told about it until this week, prompting the chairman of the House of Representatives Energy and Commerce Committee to demand the resignation of the head of the NNSA.

Committee chairman Rep. Joe Barton said NNSA Administrator Linton Brooks should be “removed from your office as expeditiously as possible” because he did not quickly notify senior Energy Department officials of the breach.

“And I mean like 5 o’clock this afternoon if it’s possible,” Barton, a Texas Republican, said in a statement.

This is a failure across the board for CIAC. CIAC monitors all DOE network firewalls and intrusion detection systems. If they missed the attack, it could be due to lack of visibility into the attack, such as the access was encrypted, or they didnt have an IDS signature to detect the breach. If it was simply an exposure issue, this is also CIAC’s fault since they should be doing comprehensive vulnerability analysis on their own systems.

Also, by failing to report this properly, the NNSA is in clear violation of government directives for reporting security incidents.

People should be fired over this, both at the NNSA and at CIAC.