After the attack suffered at the end of November by an online extremist group calling itself SiegedSec, Idaho National Laboratory (INL), one of the main nuclear research centers in the United States, confirmed that the attackers stole personal information from more than 45 thousand people after of breaching their cloud-based Oracle HCM HR management platform.
INL is one of 17 U.S. Department of Energy (DOE) national laboratories and employs 6,100 researchers and support personnel involved in national security and nuclear research. On November 20, the lab confirmed it had been the victim of a “data breach” that affected its external Oracle HCM system a day earlier. The US Cybersecurity and Infrastructure Security Agency (CISA) and the FBI are assessing the impact of the attack as part of an ongoing joint investigation.
The research lab says in a breach notification letter filed with the New England state’s Maine Attorney General’s Office this week that attackers exfiltrated the data of 45,047 current and former employees — including postdocs, postdoctoral fellows, graduates and interns — as well as their dependents and spouses. The loophole did not affect employees hired after June 1 of this year.
While it is still investigating the full impact of the incident, INL said multiple forms of sensitive personally identifiable information (PII) were affected, including names, Social Security numbers, salary information and bank details. “The event did not impact the laboratory network itself, or other networks or databases used by employees, laboratory customers or other contractors. The breach only affected the cloud-based Oracle HCM test environment that resides off-site,” INL states in the statement.
Although INL did not attribute the attack to a specific group, SiegedSec operators claimed responsibility for the attack on November 20 and leaked stolen human resources data on a hacking forum. Just as it did when it leaked data allegedly stolen from NATO and Atlassian, SiegedSec made no attempt to negotiate with INL or demand a ransom to return the data, publishing it directly online.
SiegedSec claims the data leaked online includes a wide range of sensitive information, including individuals’ full names, dates of birth, email addresses, phone numbers, social security numbers (SSN), physical addresses, and employment information. affected.
Sources: CisoAdvisor, Maine Attorney General’s Office