Data breach at US nuclear energy firm leaks sensitive employee information

A data breach at the Idaho National Laboratory (INL), part of the U.S. Department of Energy and one of the country’s foremost advanced nuclear energy testing labs, has exposed the sensitive information of employees. Affected data includes addresses, Social Security numbers and bank account information, according to EastIdahoNews.com. The breach – which occurred on Sunday November 19 – is being investigated and federal law enforcement are reportedly involved.

Hacktivist group claimed responsibility for the data breach

“Earlier this morning, Idaho National Laboratory determined that it was the target of a cybersecurity data breach, affecting the servers supporting its Oracle HCM system, which supports its Human Resources applications,” spokesperson Lori McNamara told EastIdahoNews.com. INL has taken “immediate action” to protect employee data and has been in touch with federal law enforcement agencies, including the FBI and the Department of Homeland Security’s Cyber Security and Infrastructure Security Agency (CISA), to investigate the extent of data impacted in this incident, McNamara said.

An unnamed hacktivist group has claimed responsibility for the incident on social media after claiming to have obtained “hundreds of thousands” of data points from the INL. This reportedly includes dates of birth, email addresses, phone numbers, Social Security numbers, physical addresses and employment information.

Data breach highlights severity of cyber threats for individuals and national security

While the weakness or vulnerability enabling this breach is unknown, it highlights the severity of cyber threats and the potential consequences for both individuals and national security, commented Erfan Shadabi, cybersecurity expert at comforte AG. “The involvement of federal law enforcement agencies underscores the national security implications of cyber security breaches. Organizations, whether in the public or private sector, should learn from incidents like the INL breach and prioritize the implementation of robust data-centric security measures.”

This includes encryption, tokenization, access controls, regular audits and employee training to create a comprehensive defense against cyber threats, he added. “This breach also serves as a reminder that organizations must not only prioritize the protection of customer data but also internal employee data.”

Although media surrounding this event claims that no nuclear secrets, intellectual property or R&D information was accessed or stolen, it is nonetheless highly disconcerting that the staff generating that intellectual property and participating in the most advanced nuclear energy R&D have had their information leaked online, said Colin Little, security engineer at Centripetal. “There appears to be some controversy about whether the threat actor group who stole the data is at all politically motivated; I find this question to be irrelevant, because now those who are politically motivated and would very much like to know the names and addresses of the top nuclear energy researchers in the US have that data as well.”

Report: 'Diagnosing Disaster: How To Recover From An Attack'

This report on incident response and recovery offers pivoting strategies and identifies top internal and external challenges for security teams.

Learn More