06.12.06

Cantwell Demands Answers, Better Safeguards Following Theft of Thousands of Hanford Workers’ Personal Data

WASHINGTON, DC – Following recent reports of two separate Department of Energy (DOE) security breaches, U.S. Senator Maria Cantwell (D-WA) demanded quick action to prevent future data thefts and help Hanford workers guard their identities. Monday, the Department of Energy announced that Yakima police had found a ten-year-old list with the personal information of 4,000 employees transferring from a former contractor to Fluor Hanford. This report comes less than a week after news that a hacker stole an electronic file containing the names, Social Security numbers, dates of birth, and security clearance levels of 1,500 DOE contractor employees working for the National Nuclear Security Administration (NNSA) in September 2005.

“Today’s news that the personal information of 4,000 Hanford workers has been floating around in the open shows that we still have a long way to go when it comes to keeping sensitive information out of the wrong hands,” said Cantwell, a member of the Senate Energy Committee. “Just last month, the Department of Veterans Affairs lost a file with 26 million veterans’ personal information. Last week, we found out that the National Nuclear Security Administration kept the theft of 1,500 workers’ personal information secret for at least eight months. I will continue fighting for stronger safeguards and to improve remedies for victims of identity theft, to make sure security breaches on this scale become a thing of the past."

In letters sent today to Energy Secretary Samuel Bodman and the Chairman and Ranking Member of the Senate Energy Committee, Cantwell called for a hearing on the recent DOE security breaches, requested more information on the incidents, and asked what the DOE was doing to help affected workers protect their identities.

“With the prevalence of identity theft and its tremendous impact on all Americans, I am concerned that this stolen information may be used for criminal purposes,” wrote Cantwell. “…Information like that stolen during these incidents is among the primary tools which identity thieves use to prey on hard-working Americans.”

Cantwell is advising affected Hanford workers to check their financial statements for suspicious activity, including inquiries from companies they have not done business with, purchases they did not make, new accounts they did not open, bills and statements that do not arrive as expected, and denials of credit for no apparent reason. All Americans can also request one free credit report each year. To request a credit report, citizens can visit Annual Credit Report or call 1-877-322-8228.

If individuals discover suspicious or unusual activity, they should contact the fraud department of one of the three major credit bureaus immediately: Equifax at 1-800-525-6285 or their website, Experian at 1-888-397-3742 or their website, or TransUnion at 1-800-680-7289 or their website. They should then close any accounts that have been tampered with or opened fraudulently, file a police report with local police or the police in the community where the identity theft took place, and file a complaint with the Federal Trade Commission by phone at 1-877-438-4338, online at www.consumer.gov/idtheft, or by mail at Identity Theft Clearinghouse, Federal Trade Commission, 600 Pennsylvania Avenue NW, Washington DC 20580.

Cantwell has worked actively to help identity theft victims and reduce the number of identity thefts. Last week, following news reports that intruders stole an electronic data file last month with the names, birth dates, and Social Security numbers of 26 million veterans, Cantwell began working with veterans groups to provide 50,000 informational handouts to help veterans protect themselves from identity theft.

In 2003, Cantwell worked to pass the Fair and Accurate Transactions Act, which helps ensure that identity theft victims are able to protect their credit rating from further damage by requiring credit reporting agencies to block information on fraudulent transactions resulting from identity theft. Cantwell’s legislation created a standardized process for people to establish themselves as victims of identity theft, and allows law enforcement to act as the victim’s agent in obtaining business records. The law also requires businesses to provide all relevant application and transaction records to the victim. Cantwell is also the sponsor of legislation to investigate the link between meth crimes and other criminal activity such as identity theft.

[The text of Cantwell’s letter to the Secretary of Energy follows below]

June 12, 2006

Dear Secretary Bodman,

I am very concerned about recent reports that thousands of Department of Energy (DOE) and contractor employees, including as many as 4,000 working at the Hanford site in my state, have had their privacy and financial security compromised by the theft or seemingly unauthorized possession of sensitive personal data. With the prevalence of identity theft and its tremendous impact on all Americans, I am concerned that this stolen information may be used for criminal purposes.

As you know, last week the Administrator of National Nuclear Security Administration (NNSA) testified before congressional committees that a hacker stole an electronic file containing the names, Social Security numbers, dates of birth, security clearance levels, and places of employment of roughly 1,500 people working for Department of Energy contractors in September 2005. According to media reports, you were not informed of the theft until last week. Worse still, the victims whose personal data was stolen, were not immediately notified after the hacking and information theft took place.

The disclosure of the NNSA data theft coincides with the recent discovery of a significant security breach in my state. During a police search in Yakima, WA last week, local law enforcement discovered stolen documents containing personal information of roughly 4,000 employees transferring from a former contractor to Fluor Hanford as part of the Project Hanford Management Contract in 1996. According to reports, the information, kept in paper form, contained the names, social security numbers, dates of birth, work titles, and assignments of affected Hanford site employees. This theft may affect thousands of current and former DOE employees and contract employees.

Both of these incidents raise serious questions about the security of sensitive personal information. In the case of the NNSA data theft, the efforts to inform affected members of the workforce should be reexamined. Information like that stolen during these incidents is among the primary tools which identity thieves use to prey on hard-working Americans.

While I understand that you have various investigations underway, the dedicated employees at the Hanford site and across the Department of Energy complex deserve quick answers. Please respond to my questions below:

  • Can you specify how many DOE employees or contractor employees had their personal information stolen?
  • What information was compromised?
  • What safeguards (encryption policies, policies on off-site data removal, etc.) does the DOE have in place to protect against these incidents?
  • Is there any evidence that the stolen information has been used to engage in additional criminal activity?
  • What steps has the DOE taken in both incidents to coordinate with federal and state law enforcement agencies to protect employees against the criminal use of their stolen personal information?
  • What steps is the DOE taking to notify all affected current and former employees and contract workers, including those who may be hard to reach, of the data theft?
  • What additional information is the DOE providing, so affected employees and contract workers may protect themselves from potential identity thieves?
  • What steps is the DOE taking to make sure similar incidents do not happen again?

I know you share my concerns about the security of sensitive information held by the federal government and the well-being of the DOE workforce. Sadly, with these disclosures, the financial security of thousands of DOE and contract employees are at risk. The federal government has an obligation to do better. I look forward to your quick response to my questions. Thank you.

###