Idaho National Laboratory (INL) has published a data breach alert on its website informing current and former employees that cybercriminals have stolen their personal information.
INL is one of the U.S. Department of Energy’s national laboratories specializing in nuclear energy research, running multiple experimental reactor programs, and developing pioneering energy distribution systems. The organization operates on a budget of $1 billion and currently employs over 5,700 personnel.
On November 20, the organization suffered a data breach from the hacktivist group SiegedSec, that leaked all stolen data for free on Telegram and hacking forums. The data, that remains available for download all this time includes full names, email addresses, phone numbers, home addresses, SSNs, employment information, and more.
The DoE, CISA, and the FBI aided internal investigations on the impact of the data breach. INL has begun alerting impacted individuals starting on December 12, 2023. The notices contain personalized information on the impact of the incident for each recipient, along with details on how to enroll in Experian’s identity theft and restoration services, the cost of which is covered by INL.
INL breach impact
INL stated that the data breach was contained on the cloud-based Oracle HCM system, which supports human resources (HR) operations, and hence, the information that was stolen impacts personnel.
The alert on INL’s website provides more details about which categories of employees and their dependents and spouses have been impacted by SiegedSec’s cyberattack.
Multiple forms of sensitive personally identifiable information (PII) including names, social security numbers, salary information and banking details were impacted.
INL
The incident impacts current and former INL employees who joined the organization on June 1, 2023, including postdocs, graduate fellows, and interns, who had their personally identifiable information (PII) exposed in the attack. Spouses and dependents of the employees mentioned above had their names and dates of birth compromised.
The exposure also impacts employees who retired either before or after June 1, 2023, but the information that has been compromised in each case varies, and this is something that is still being determined by the internal investigation.
Also, individuals employed by the Idaho Cleanup Project (ICP) between 2005 and 2006, along with their dependents and spouses may have also been impacted.
The data breach does not impact employees who started their employment at INL after June 1, 2023. Also, data from subcontractor employees has not been leaked, so it might not have been stolen in the attack.
Finally, the organization has noted that the investigation has unearthed no evidence that any other critical systems, networks, or databases beyond Oracle HCM were breached by the attackers.