Stolen personal info poses a bigger risk than ID theft
From SANS NewsBites:
Energy Dept. Officials Learn of Data Security Breach Months After the Fact (9 June 2006)
Senior Energy Department officials learned on June 7 that a cyber intruder stole a file containing names and Social Security numbers (SSNs) of 1,500 workers at the Energy Department’s nuclear weapons agency from a computer system at the National Nuclear Security Administration (NNSA). The breach occurred in September 2005. Although NNSA administrator Linton Brooks learned of the breach in September, he maintains he did not know whose job it was to inform Energy Secretary Samuel Bodman or Deputy Energy Secretary Clay Sell. Secretary Bodman has directed that the individuals affected by the data theft be notified immediately; no effort to notify them had been made before.
One take from SANS was that more attention needs to be paid to security implications of remote workers.
My take is a little different.
If you want to hurt the US, you target it’s critical capabilities.
My concern is that these names were stolen to:
1) provide an inside track for social engineering
2) provide a means of impersonating a valid user in a targeted system attack.
You can discover for yourself what National Nuclear Security Administration (NNSA) does. I imagine that the 1,500 or so employees probably have access to data we probably don’t want the average Joe to have access to.
The threat here far supersedes identity theft.
Bill