No classified information was lost but the personal information of visitors may have been stolen from the Oak Ridge National Laboratory.
Oak Ridge National Laboratory, a U.S. Department of Energy facility, said on Thursday that its computer network had been comprised by a spear-phishing attack.
"A hacker illegally gained access to ORNL computers by sending staff e-mails that appeared to be official legitimate communications," ORNL said in a statement. "When the employees opened the attachment or accessed an embedded link, the hacker planted a program on the employees' computers that enabled the hacker to copy and retrieve information. The original e-mail and first potential corruption occurred on October 29, 2007. We have reason to believe that data was stolen from a database used for visitors to the Laboratory."
ORNL said that no classified information was lost but that the personal information of visitors may have been stolen. Visitors to the laboratory between 1990 and 2004 may have had their personal information, such as Social Security number and date of birth, stolen as a result of the data theft.
The breach occurred on Oct. 29, 2007. ORNL said there's no evidence that the stolen information has been used for identity theft fraud, but nonetheless recommended that anyone who visited the lab between 1990 and 2004 place a fraud alert on their credit file.
A spokesperson for ORNL wasn't immediately available.
Spear-phishing -- sending e-mail messages that appear to come from a business or associate with whom the recipient has a relationship in order to dupe the recipient into clicking on a link to a malicious site or content -- is a major concern for the government because it has proven to be an effective means of cyberespionage. It works because it relies on human gullibility to bypass perimeter-based security measures.
More than 90% of the serious breaches in which sensitive information is taken from government agencies involve spear phishing, according to Alan Paller, research director for the SANS Institute. In a phone interview prior to the release of the SANS Top 20 Internet Security Risks of 2007, Paller spoke of a chief information security officer of a federal agency who discovered that his computer was sending information to China. The official had been the target of spear phishing. "Even the people who are responsible for security aren't secure," said Paller.
According to a report released earlier this week by the Anti-Phishing Working Group, the number of password-stealing Trojan keyloggers detected rose for the fourth month in a row in August, for a total of 294 unique variants. The working group also said that the number of unique phishing reports submitted to the group in August was 25,624, an increase from the 2,500 reports in July.
Last year, InformationWeek published a report about the prevalence of compromised computers (bots) at government agencies and laboratories. Data provided by Trend Micro suggested that thousands of bots were operating from within government organizations and affiliated entities.
The Agile ArchiveWhen it comes to managing data, donít look at backup and archiving systems as burdens and cost centers. A well-designed archive can enhance data protection and restores, ease search and e-discovery efforts, and save money by intelligently moving data from expensive primary storage systems.
2014 Analytics, BI, and Information Management SurveyITís tried for years to simplify data analytics and business intelligence efforts. Have visual analysis tools and Hadoop and NoSQL databases helped? Respondents to our 2014 InformationWeek Analytics, Business Intelligence, and Information Management Survey have a mixed outlook.
InformationWeek Must Reads Oct. 21, 2014InformationWeek's new Must Reads is a compendium of our best recent coverage of digital strategy. Learn why you should learn to embrace DevOps, how to avoid roadblocks for digital projects, what the five steps to API management are, and more.