ORNL data theft and me
Earlier this week, it was reported that hackers had compromised a database inside Oak Ridge National Laboratory; this database contained personal data on all visitors to ORNL from 1990 through 2004. The names, dates of birth, Social Security numbers, and addresses of all those visitors had been stolen by thieves.
I was one of those visitors.
The database was stolen through a targeted phishing attack:
[ORNL Director Thom] Mason outlined the general aspects of the attack, which included a number of "phishing" e-mails sent to staff members, but he concluded the note by saying: "Because of the sensitive nature of this event, the laboratory will be unable for some period to discuss further details until we better understand the full nature of this attack."
Phishing is the practice of sending official-looking e-mail to extract information from victims who believe them to be from legitimate institutions such as banks. In ORNL's case, some of the e-mail mimicked notices for scientific conferences and complaints filed with federal agencies, such as the Federal Trade Commission and the Equal Employment Opportunity Commission.
Mason told staffers that the attack appeared to be part of a "coordinated attempt to gain access to computer networks at numerous laboratories and other institutions across the country." He said ORNL's cyber security team has been working nights and weekends to try to understand the nature of the attack.
A spokesman at Los Alamos National Laboratory, a weapons design laboratory in New Mexico, confirmed Thursday afternoon that LANL also was attacked by hackers.
I visited ORNL numerous times during that fifteen-year time frame, mostly to conduct training for Lab personnel. Of all the places I've given out personal information, ORNL is the last one I would have thought could result in the theft of that data.
Although the data was stolen on October 29, I just received notification of the theft a couple of days ago, after the story first broke in the media. That gave the thieves five full weeks to do whatever they wanted with that data before I was notified.
ORNL has established a site to disseminate information about the theft, but at this point, it amounts to nothing more than a suggestion that those affected should have a fraud alert placed on their credit files.
Yeah, no kidding. Tell me something else obvious.
The site has contact information for all three credit reporting bureaus:
We recommend you place a fraud alert on your credit file. A fraud alert tells creditors to contact you before they open any new accounts or change your existing accounts. Call any one of the three major credit bureaus. As soon as one credit bureau confirms your fraud alert, the others are notified to place fraud alerts and you will receive instructions on how to obtain a free credit report from each agency.
| Equifax |
|
Experian |
|
TransUnionCorp |
| 800-525-6285 |
|
888-397-3742 |
|
800-680-7289 |
In addition to the report you receive after placing a fraud alert, you are entitled to one free credit report from each of the three credit reporting agencies per year.
Whether the data theft occurs from a government agency or a private company, it's up to the victim to make sure he or she isn't victimized further. The cost of data theft is almost always externalized and foisted onto you and me; shoddy security practices are not punished by forcing the custodian of the data to accept liability for that data's security. As long as government agencies and companies are allowed to externalize the costs of their own stupid security decisions, ordinary consumers and citizens will be forced to bear the brunt of their incompetence.
If agencies and companies were held liable for the security of personal data, that security would escalate overnight.
This is the second time in three years I've had to place a fraud alert on my credit file due to someone else's malfeasance. I'm really getting tired of having to carry the burden and risk for someone else's misdeeds. The custodians of my personal data have a responsibility to secure that data and prevent its theft. Any fraud perpetrated with my stolen data should be paid for by the agencies and companies holding that data and promising to keep it secure.
UPDATE 12/10/2007: The phishing attack on ORNL may have originated in China.