SRS employee stole 12, 000 coworkers' information

[Erica Absetz <erica () riskbasedsecurity com>]

http://www.aikenstandard.com/article/20130507/AIK0101/130509647/1004/srs-employee-stole-12000-coworkers-information-data-not-8216-improperly-distributed-8217

The personal information of some 12,000 Savannah River Site employees
stolen earlier this year was not “improperly distributed,” though it
was found in the hands of a Site employee.

In an email distributed to SRS employees Monday, Dr. David Moody,
manager of the Department of Energy-owned site, said the picture of
the compromising of personally identifiable information has become
clearer.

The Savannah River Site's Cyber Security Team identified the
unauthorized disclosure of personally identifiable information in
March, indicating this was not the result of a cyber-intrusion. This
would mean someone from within the secure walls of SRS had accessed
the information.

“I want to take this opportunity to follow up on my March 5 Savannah
River Site employee communication,” Moody wrote. “The event that
triggered the message was the discovery of personally identifiable
information in the possession of an SRS employee. The circumstances
surrounding the possession have since been clarified; there is no
indication that the employee improperly distributed or compromised
your PII.”

In March, the personal information of 12,000 employees was reported to
have been compromised, but DOE stressed that no classified information
was taken from the top-secret, nuclear weapons complex site.

DOE officials would not, at that time, release details of the breech
as the incident was under investigation by the Office of the Inspector
General. The Inspector General has not yet released any of its
findings publicly.

“I hope this provides you with some clarity, and I trust this message
addresses any concerns you may have had related to this PII incident,”
Moody ended his message.

Requests for more information on the data theft were not answered Monday.
_______________________________________________
Dataloss-discuss Mailing List (dataloss-discuss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://datalossdb.org/mailing_list

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security equips organizations with security intelligence, risk
management services and on-demand security solutions to establish
customized risk-based programs to address information security and
compliance challenges. 

Tenable Network Security (http://www.tenable.com/)
Tenable Network Security provides a suite of solutions which unify real-time
vulnerability, event and compliance monitoring into a single, role-based, interface
for administrators, auditors and risk managers to evaluate, communicate and
report needed information for effective decision making and systems management.