Data Theft—US Department of Energy

Just weeks after it was disclosed that millions of veterans’ personal identification information was stored on a laptop which was stolen from a Veteran Affairs employee’s home,^[1] the US Federal government is reeling from yet another incident of data theft. This time, a computer hacker allegedly “stole sensitive information on 1,500 people working for the nuclear-weapons unit of the Energy Department.”^[2] And, just as happened after the theft of the VA information, “neither the theft victims nor high officials were notified,” this time for nine months.^[3]

The theft happened at a National Nuclear Security Administration center in Albuquerque, and a wide range of information was compromised: “names, Social Security numbers, birth dates and information on where the people worked and their security clearances” were stolen.^[4] The theft was disclosed at a House Energy and Commerce Committee subcommittee on oversight and investigation hearing on Friday, prompting Republican Representative Joe L. Barton of Texas to declare that the administrator of the nuclear security agency, Linton F. Brooks, should resign, “like 5 o’clock [that] afternoon, if that’s possible.”^[5] Rep. Barton continued his harangue by asking “how [Mr. Brooks] could meet with the Secretary every day the last seven or eight months and not inform him?”^[6] Mr. Brooks responded that he didn’t know why Energy Secretary Samuel W. Bodman was not notified, but mentioned that he had assumed that other senior officials had notified Mr. Bodman.^[7]

The National Nuclear Security Administration was established in 2000, partly in response “to fears of Chinese espionage”; it has 37,000 federal employees, military personnel, and contractors responsible “in part for designing and maintaining nuclear weapons.”^[8]

Stealing defense-related information is an extremely serious national security crime under 18 U.S.C. § 1030(a)(1). Under this statute, it is a crime for a person to access a computer without authorization or by exceeding his authorized access, and thereby obtain restricted information or data—with reason to believe that such information could be used to the injury of the United States, or to the advantage of any foreign nation—and then either transmit that information to a person not entitled to receive it or to retain it himself. One of the fears that some people have about the compromised data is that the person stealing the data could “’try to get people to do things they shouldn’t’ through threats, blackmail or other pressure.”^[9] The punishment for a violation of section 1030(a)(1) is a fine, imprisonment for up to 10 years, or both.^[10]

---

[1] See, e.g., Hope Yen, Accountability Sought in Theft of VA Data, AP (via Guardian (UK)), Jun. 7, 2006.
[2] David Stout, Data Theft at Nuclear Agency Went Unreported for 9 Months, NY Times, Jun. 10, 2006.
[3] Id.
[4] Id.
[5] Id.
[6] Id.
[7] Id.
[8] Id.
[9] Id.
[10] 18 U.S.C. § 1030(c)(1)(A).