A hacker stole a file containing the names and Social Security numbers of 1,500 people working for the Energy Department's nuclear weapons agency.
But in the incident last September, somewhat similar to recent problems at the Veterans Affairs Department, senior officials were informed only two days ago, officials told a congressional hearing Friday. None of the victims was notified, they said.
The data theft occurred in a computer system at a service center belonging to the National Nuclear Security Administration in Albuquerque, N.M. The file contained information about contract workers throughout the agency's nuclear weapons complex, a department spokesman said.
NNSA Administrator Linton Brooks told a House hearing that he learned of the security breach late last September, but did not inform Energy Secretary Samuel Bodman about it. It had occurred earlier that month.
Disclosure delay blamed on "misunderstanding"
Brooks blamed a misunderstanding for the failure to inform either Bodman or Deputy Energy Secretary Clay Sell about the security breach. Brooks' NNSA is a semiautonomous agency within the department and he said he assumed DOE's counterintelligence office would have briefed the two senior officials.
"That's hogwash," Rep. Joe Barton, chairman of the Energy and Commerce Committee, told Brooks. "You report directly to the secretary. You meet with him or the deputy every day... You had a major breach of your own security and yet you didn't inform the secretary."
Bodman first learned of the theft two days ago, according to his spokesman, Craig Stevens.
"He's deeply disturbed by the way this was handled," Stevens said.
Barton, R-Texas, called for Brooks' resignation because of his failure to inform Bodman and other senior DOE officials of the security failure.
The House Energy and Commerce oversight and investigations subcommittee learned of the security lapse late Thursday, on the eve of its hearing on DOE cyber security, said Rep. Ed Whitfield, R-Ky., chairman of the panel.
The issue dominated lawmakers' questioning of DOE officials at the hearing. After an open session, the subcommittee continued questioning Brooks and other officials about it at a closed session because of the security implications.
Stolen file was unclassified
Although the compromised data file was in the NNSA's unclassified computer system — and not part of a more secure classified network that contains nuclear weapons data — the DOE officials would provide only scant information about the incident during the public hearing.
Brooks said the file contained names, Social Security numbers, date-of-birth information, a code where the employees worked and codes showing their security clearances. A majority of the individuals worked for contractors and the list was compiled as part of their security clearance processing, he said.
Tom Pyke, DOE's official charged with cyber security, said he learned of the incident only a few days ago. He said the hacker, who obtained the data file, penetrated a number of security safeguards in obtaining access to the system.
Stevens said Bodman, upon learning of the incident, directed that the individuals be immediately told their information had been compromised.
Brooks acknowledged that no attempt was made to notify the individuals until now. He declined to elaborate because of security concerns, but indicated he could tell the lawmakers more in the closed session.
"If somebody got that information from your file, wouldn't you be a little concerned if nobody told you?" Rep. Diane DeGette, D-Colo., asked Brooks.
"Of course I would," he replied.
"Significant weaknesses exist"
The Energy Department spends $140 million a year on cyber security, Gregory Friedman, the DOE's inspector general, told the committee. But he said that while improvements have been made, "significant weaknesses continue to exist," making the unclassified computer system vulnerable to hackers.
Last fall, a so-called "Red Team" of DOE computer specialists — seeking to test the security safeguards — succeeded in hacking into and gaining control of a DOE facility's computer system, the panel was told.
"We had access to sensitive data including financial and personal data.... We basically had domain control," said Glenn Podonsky, director of DOE's Security and Safety Performance Assessment. "We were able to get passwords, go from one account to another."
Podonsky did not name the facility.
But in response to questioning, he said that during the test it was learned that an actual penetration of a DOE computer system had occurred, leading to the theft of the files containing information about the 1,500 contract workers.