Tens of thousands of current and former employees of a leading US cybersecurity and nuclear research laboratory were impacted by a major data breach discovered in November, it has been revealed.
The Idaho National Laboratory (INL) said in an updated notice published this week that it first became aware of the incident on November 20. The lab claimed that it did not impact its own network or databases, but rather its Oracle HCM system, which “resides outside the lab and supports certain INL Human Resources applications.”
The breach impacted current and former employees – including interns, graduate fellows and post-doctorate researchers – as well as retirees and dependents and spouses. Only INL employees who began after June 1 2023 are not affected, it said.
The lab revealed that some individuals employed by the Idaho Cleanup Project (ICP) between 2005 until mid-2006 may also have had their personal data compromised.
The Office of the Maine Attorney General confirmed that 45,047 individuals were affected by the breach.
A breach notification letter published by the OAG confirmed that the incident took place on November 19, and that the hackers got their hands on a treasure trove of information.
“We can confirm that multiple forms of sensitive personally identifiable information (PII) including names, social security numbers, salary information and banking details were exposed for many individuals,” it explained.
“Some individuals only had their names and dates of birth compromised. The compromised information contained payroll data for employees, former employees, and retirees that was current as of June 1, 2023.”
INL is offering free credit monitoring to those affected and said they should also put a freeze on their credit report to minimize the chances of fraudsters opening new lines of credit in their name.
“Watch your email, text messaging, social media and phone calls for highly targeted phishing attempts that take advantage of this information. Many cybercriminals prefer to launch attacks on weekends and around the holidays,” it added.
The SiegedSec hacktivist group has claimed responsibility for the attack, having published the data online.
meow meow, the sexy hackers at SiegedSec just breached the INL (Idaho National Laboratory) divulging thousands of data points such as – full name,date of birth,email address,phone number,social security number,address,employment info and more :3 https://t.co/B2quaNFxgF
— SiegedSec (@SiegedSecurity) November 20, 2023
INL is one of 17 US Department of Energy national labs, with a long history of producing cybersecurity, nuclear and clean energy research.