A hacker stole a file containing the names and Social Security numbers of 1,500 people working for the Energy Department's nuclear weapons agency.
But in the incident last September, somewhat similar to recent problems at the Veterans Affairs Department, senior department officials were told only two days ago, officials told a congressional hearing Friday. None of the victims were notified, they said.
The data theft occurred in a computer system at a service center belonging to the National Nuclear Security Administration in Albuquerque, N.M. The file contained information about contract workers throughout the agency's nuclear weapons complex, a department spokesman said.
NNSA Administrator Linton Brooks told a House hearing that he learned of the security break late last September, but did not inform Energy Secretary Samuel Bodman about it. It had occurred earlier that month.
Bodman first learned of the theft two days ago, according to his spokesman.
"He's deeply disturbed by the way this was handled," said Craig Stevens, a spokesman for Bodman.
Rep. Joe Barton, R-Texas, chairman of the Energy and Commerce Committee, called for Brooks' resignation because of his failure to inform Bodman and other senior DOE officials of the security failure.
The House Energy and Commerce oversight and investigations subcommittee learned of the security lapse Thursday evening on the eve of its hearing on DOE cyber security, said Rep. Ed Whitfield, R-Ky., chairman of the panel.
The issue dominated lawmakers questioning of DOE officials at the hearing. After an open session, the subcommittee continued questioning Brooks and other officials about it at a closed session because of the security implications.
Although the compromised data file was in the NNSA's unclassified computer system — and not part of a more secure classified network that contains nuclear weapons data — the DOE officials would provide only scant information about the incident during the public hearing.
Brooks said the file contained names, Social Security numbers, date-of-birth information, a code where the employees worked and codes showing their security clearances. A majority of the individuals worked for contractors and the list was compiled as part of their security clearance processing, he said.
Tom Pyke, DOE's official charged with cyber security, said that he learned of the incident only a few days ago. He said the hacker, who obtained the data file, penetrated a number of security safeguards in obtaining access to the system.
Stevens said that Bodman, upon learning of the incident, directed that the individuals be immediately told their information had been compromised.
Brooks acknowledged that no attempt was made to notify the individuals until now. He declined to elaborate because of security concerns, but indicated he could tell the lawmakers more in the closed session.
"If somebody got that information from your file, wouldn't you be a little concerned if nobody told you?" Rep. Diane DeGette, D-Colo., asked Brooks.
"Of course I would," he replied.