A cyber attack launched on the Oak Ridge National Laboratory in Tennessee could have compromised the personal records of thousands of lab visitors, leaving them susceptible to potential identity theft.
ORNL Director Thom Mason issued an all-staff e-mail earlier this week warning employees that the institution had been a target of a "sophisticated cyber attack" that appeared to "be part of a coordinated attempt to gain access to networks" at Oak Ridge laboratories and other institutions across the country.
Hackers had gained access to one of the lab's non-classified databases containing personal information, which included social security numbers and birth dates, of laboratory visitors between 1990 and 2004, according to the letter. Security researchers have thus far estimated around 1,100 attempts of data theft that occurred through a series of seven phishing e-mails, all of which initially appeared to be official communications. While no classified information appeared to be lost, personal visitor information may have been stolen.
The original e-mail and first potential corruption occurred on Oct. 29, kicking off the wave of malicious attacks. One of the fake e-mails notified employees of a conference, while another pretended to notify the employee of a Federal Trade Commission complaint. Both messages were accompanied by an attachment, which employees were instructed to open. The downloadable file contained malicious code that allowed the attackers to copy and retrieve personal identifying information of lab visitors. Officials so far estimate that a total of 11 staff members opened the attachments.
"While our hope is that no one would fall for these kinds of tricks from hackers, we believe there is an ongoing benefit to re-emphasizing staff awareness about cyber security issues," Mason said.
Mason maintained that ORNL would be contacting as many of the individuals as possible whose records were compromised in order to alert them to the potential identity threat. He also asserted in his message that every security system at the laboratory was in place and in compliance during the course of the heist.
"Each year the Laboratory is forced to put in place new and more sophisticated security systems in an attempt to stop thieves who are equally determined to break into the cyber network," he said in his message. "We will continue this commitment."
However, security experts speculate that government agencies and enterprise businesses alike will have to implement a more comprehensive and multifaceted security strategy in order to keep up with perpetrators and further protect sensitive data.
"We need a layered approach to security," said Brian Cleary, VP of marketing at the Aveksa, an enterprise access governance firm. "You even put policies in place saying location becomes important. Thinking about that user-center approach can minimize issues like this and potentially contain them."
"We need to think about the fact that 50 percent of data loss is within the organization. The vast majority of it is unintentional. It's just carelessness," he added.