After data breach, Idaho National Laboratory publishes information about who is impacted
Published at | Updated at
IDAHO FALLS — Following a massive data breach at Idaho National Laboratory last week, site officials have created a webpage to inform current and former employees who has been impacted and what they should do about it.
INL media spokeswoman Lori McNamara says the information about the breach was published Wednesday afternoon.
The data breach occurred on the night of Nov. 19, and was discovered by INL the next day. Officials determined the breach occurred “within Oracle HCM, a federally approved vendor system that resides outside the lab and supports certain INL Human Resources applications.”
A politically-motivated hacking group immediately claimed responsibility for the hack, and made the information available on its Telegram social media account. That post — along with all the leaked data — was live for days before it was removed.
McNamara said it’s unknown how many times the information was downloaded. It’s also unclear who was responsible for the post ultimately being taken down from Telegram.
The total number of people impacted by the leak is unknown, but it numbers in the thousands of current and former local workers. The data included names, birth dates, email addresses, phone numbers, Social Security numbers, addresses and other employment information.
The INL’s new webpage about the breach specifies the data was stolen from current and former employees of Battelle Energy Alliance, the contractor that manages Idaho National Laboratory. This includes information about interns and postdoctoral students.
The leak also included data about the spouses and dependents of employees.
Additionally, anyone employed by the Idaho Cleanup Project between 2005 and mid-2006 may have been impacted by the breach.
The webpage goes into greater detail about who was impacted and what data was obtained for each group of people. It can be viewed here.
It appears that employees who began active employment after June 1, 2023 were not impacted by the breach. The webpage also said the hack did not impact INL’s own network or its databases.
INL has negotiated a contract with Experian to provide no-cost credit monitoring to all individuals, which includes employees, spouses and dependents that have been impacted by the data breach.
A letter will be sent out to everyone impacted and will include activation codes to enroll in the identity protection and credit monitoring services.
Employees have been told to do the following:
- Place a free credit freeze on your credit report
- Monitor financial institutions
- Update passwords
- Implement multi-factor authentication
The lab is working with the U.S. Department of Energy, the FBI, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, and other national labs to investigate the breach.
Click here for more information about the breach.
