Idaho National Laboratory Pwned…. And Data On Employees Has Leaked

The Idaho National Laboratory got pwned over the weekend. Here’s what happened next:

Idaho National Laboratory experienced a massive data breach on Sunday night, leading to the leak of employee addresses, Social Security numbers, bank account information and much more.

INL media spokesperson Lori McNamara tells the breach is being investigated and federal law enforcement are involved.

“Earlier this morning, Idaho National Laboratory determined that it was the target of a cybersecurity data breach, affecting the servers supporting its Oracle HCM system, which supports its Human Resources applications. INL has taken immediate action to protect employee data,” says McNamara. “INL has been in touch with federal law enforcement agencies, including the FBI and the Department of Homeland Security’s Cyber Security and Infrastructure Security Agency to investigate the extent of data impacted in this incident.”

According to INL, more information will be shared as the situation progresses.

Slight problem though, they didn’t protect employee or any other data: was able to download and view the hacked information. We have been able to confirm the authenticity of the leaked information from several employees. The information impacts thousands of local workers. 

A politically-motivated hacking group has claimed responsibility for the data breach on various social media platforms. is not naming the group, due to the nature of the sensitive information, which is now publicly available. 

As of 11 a.m., INL officials could not the confirm the identity of the hackers.

Lovely. John Gunn, CEO, Token has this comment:

90% of data breaches start with a successful phishing attack, yet most organizations are using 20-year old legacy multifactor authentication (MFA) technology as their primary means of securing access. So many headlines and so many breached companies. and all from the same vulnerability – people falling victim to sophisticated phishing attacks and it will only get worse as cybercriminals expand their use of AI.

This attack based on what we know is pretty bad. And I suspect that as more details emerge, the scope of how bad this is will become clear.

UPDATE: I did say that as more details emerged, the scope of how bad this is will become clear. Here’s some additional details. In a Telegram post on Sunday, hacking group SiegedSec claimed to be behind this hack.

The group claims to have accessed servers supporting its Oracle human resources applications, gaining access to detailed information of current and former employees.

Another data point, INL operates under the Department of Energy and scientists work on national security programs, including protecting critical infrastructure like the U.S. power grid. INL is also the premier lab for nuclear energy focusing on energy security, reliability and cybersecurity.

Corey Brunkow, Dir of Eng Operations, had this comment based on the above:

   “Oracle Human Capital Management is an application under the Oracle Fusion Cloud SaaS suite which is listed on the FedRAMP Marketplace with an agency authorized Authority to Operate (ATO). This SaaS has been provided authorization to operate by at least 5 separate Authorizing Agencies after going through an extensive and expensive FedRAMP process. The fact that this service was breached and could lead to the breach of the at least 10 other agencies that have provided an ATO or reused the ATO for this product leads me to conclude that the US Government’s over-reliance on exhaustive check-list based compliance and security theater through documentation is not a fail-safe against the myriad of negative outcomes in cybersecurity. Compliance programs like FedRAMP authorization is only one portion of a complete cybersecurity posture, and the current rate of threat generation and activity is much faster than any human auditor can keep pace with.

   “The negative outcome here beyond the initial breach of data is a clear national security concern due to the sensitive nature of the work and capable people that do the work at our national labs. With the data revealed through this hack, the Department of Energy should prepare for individual or organizational blackmail campaigns, individual threats, and possibly the departure of critical and highly skilled workforce members. The SiegedSec hacktivist group, now armed with detailed information about employees could pose a significant risk to the likelihood of insider threat problems due to the stress and situation that the newly breached employees now face with their personal sensitive data exposed to a hacktivist group that has previously targeted NATO entities and other government services.”

Leave a Reply

%d bloggers like this: