Data Breach Information
Information and resources for current and previous employees
Feb. 7, 2024 data breach update: Authorities investigating suspicious letters mailed to homes
INL has confirmed that it is working with authorities to investigate suspicious letters received at the homes of several lab employees. The letters contain vague language threatening individuals impacted by November’s data breach unless they send a payment. The letters also contain personally identifiable information.
Employees should not respond to the letters or send payment information. To assist the investigation, INL is asking employees to bring the original copies of these letters to an INL badging office to be processed and analyzed by law enforcement. Staff members who work remotely should email [email protected] to let us know you received the letter, and keep the original letter and envelope in case they are needed for the investigation.
Background information
On Monday, Nov. 20, Idaho National Laboratory became aware of a cybersecurity data breach within Oracle HCM, a federally approved vendor system that resides outside the lab and supports certain INL Human Resources applications. Information was stolen for many current and previous employees of Battelle Energy Alliance (BEA), the contractor that manages Idaho National Laboratory (INL), and some Idaho Cleanup Project (ICP) employees.
The laboratory is working with DOE, the FBI, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, and other national labs to investigate the breach.
Impacted individuals will receive a joint notification letter from Experian and INL beginning Tuesday, Dec. 12. These letters will detail the information lost during the cyber data breach and provide instructions on how to enroll in a no-cost, comprehensive credit monitoring, identity theft and identity restoration service provided by Experian.
We are committed to continuing transparent communication on this incident. Current employees should refer to the internal resource center available on Nucleus that will be updated with information and resources as they become available. Email [email protected] if you have questions.
Who is affected by the data breach?
Current INL employees, spouses and dependents:
We can confirm the release of information for many current INL employees (including postdocs, graduate fellows and interns), dependents and spouses in the data breach. Multiple forms of sensitive personally identifiable information (PII) were impacted. Affected employees will receive a joint notification letter from Experian and INL soon.
Those who were actively employed on June 1, 2023:
These individuals have information, including multiple forms of sensitive PII, in the data set impacted in the breach.
Dependents and spouses of employees who were actively employed on June 1, 2023:
These individuals have information, including names and dates of birth, in the data set impacted in the breach.
Employees who began active employment after June 1, 2023:
These individuals did not have any data impacted by the breach.
Previous INL employees, interns, postdocs and their dependents and spouses:
The laboratory continues to determine full impacts to previous INL employees, including interns and postdocs, in addition to spouses and dependents. Names and dates of birth for these individuals were impacted. For many previous employees, we know that other sensitive PII also may have been exposed. Impacted individuals will receive a joint notification letter from Experian and INL soon.
Employees who left INL after June 1, 2023:
Individuals who left INL for any reason after June 1, 2023, (e.g., voluntary or involuntary separation, etc.) have information, including multiple forms of sensitive PII, impacted by the breach.
Dependents and spouses of employees who left INL after June 1, 2023:
These individuals have information, including names and dates of birth, in the data set impacted in the breach.
INL retirees and their dependents and spouses:
INL continues to determine full impacts to retirees in addition to spouses and dependents. Names and dates of birth for these individuals were impacted. For some retirees, we know that other sensitive PII also may have been exposed. Impacted individuals will receive a joint notification letter from Experian and INL soon.
Employees who retired from INL after June 1, 2023:
Individuals who retired from INL for any reason after June 1, 2023 have information, including multiple forms of sensitive PII, impacted by the breach.
Employees who retired from INL before June 1, 2023:
INL continues to determine full impacts to previous employees, including retirees. Names and dates of birth for these individuals were impacted. For many previous employees, we know that other sensitive PII also may have been exposed. Impacted individuals will receive a joint notification letter from Experian and INL soon.
Dependents and spouses of employees who retired from INL after June 1, 2023:
These individuals have information, including names and dates of birth, in the data set impacted in the breach.
Individuals employed by the Idaho Cleanup Project between 2005 and 2006:
Anyone employed by the Idaho Cleanup Project (ICP) between 2005 until mid-2006 may have information impacted by the breach. During that time frame, ICP used BEA’s Peoplesoft HR system and they were loaded into the Oracle HCM system as former employees. Dependent or beneficiary information may have been impacted by the breach.
Who is not affected by the data breach?
The event did not impact INL’s own network, or other networks or databases.
INL employees who began active employment after June 1, 2023:
These individuals did not have any data impacted by the breach.
Experian Credit Monitoring
Impacted Individuals will receive a joint notification letter from Experian and INL at their home address. This letter will include activation codes to enroll in no-cost identity protection and credit monitoring services for all individuals, including employees, spouses and dependents who were impacted by the data breach. All individuals 18 and over will receive their own token to enroll in services. Dependents under 18 will receive coverage under the employee’s code.
All individuals have until March 10, 2024, to enroll in the Experian products and use its call center services. Impacted individuals will receive coverage for at least one year. This service will cover impacted individuals from the start date of the contract with Experian on Nov. 27. This means that employees and dependents will be covered for any fraud that occurs on or after Nov. 27, even if they have not yet enrolled.
Identity monitoring services will include:
- Tri-Bureau Credit Report and Monitoring.
- Experian 1 Bureau Credit Report.
- VantageScore Tracker, which provides a monthly Experian credit score.
- Score Simulator to help individuals see how certain actions will impact their credit.
- Experian Real-Time Credit Inquiry Notifications.
- Credit Limit, Utilization and Balance Notifications.
- Change of Address, which monitors if an individual’s mail has been rerouted.
Identity protection services will include:
- Experian Real-Time Authorization Notifications when personal information is used for new applications or identity validations.
- Experian Internet Surveillance to monitor internet activity for trading or selling of personal information.
- Court Records searches criminal and court records to determine if an individual’s identity has been used by an unauthorized user.
- Lost Wallet provides protection for all personally identifiable information that has been compromised.
- Non-Credit or Pay-Day Loans alerts individuals when no credit check or payday loans have been acquired using their Social Security number.
- Social Security Number Trace provides a report of all names, aliases and addresses associated with an individual’s Social Security number.
- Financial Account Takeover monitors activity in deposit accounts, including new deposit account applications, new deposit accounts opened, changes made to deposit account holder’s personal information and new signers added to account.
Impacted individuals can reach Experian identity protection agents 24/7 via a dedicated, toll-free customer assistance line. These agents can explain identity theft risks and remediation options, and help with enrollment, identity restoration and product-related questions.
Individuals who need identity restoration will arrange a call back from a highly trained fraud resolution agent, who is certified under the federal Fair Credit Reporting Act.
INL’s service with Experian also includes identify theft insurance for enrolled individuals. This service provides reimbursement for U.S. residents for certain ancillary expenses associated with restoring their identity should they become a victim of identity theft.
Identity protection guidance for deceased individuals
Unfortunately, the data breach also impacted some deceased individuals. We recognize that this presents a unique challenge for these families and have asked for resources to help. Experian has provided guidelines on Protecting Deceased Individuals to help these families protect their deceased loved ones’ estates from identity theft.
How should affected individuals protect their information?
INL has finalized a contract with Experian to provide no-cost credit monitoring to all individuals (including employees, spouses and dependents) impacted by the data breach. Impacted individuals will receive a joint letter from Experian and INL soon with details on how to enroll in this service, as well as the types of personal information impacted by the data breach. Individuals should also review their credit reports using sources like Annual Credit Report.com.
In addition, all affected individuals should follow best cybersecurity practices to keep their information safe, including:
Freezing your credit
Place a free credit freeze on your credit report. This will prevent unauthorized access to your credit history and credit score and prevent an unauthorized individual from taking out a loan or opening new lines of credit in your name.
Individuals must establish an online account at each of the U.S. Credit Reporting Agencies:
Contact your financial institutions
Contact financial institutions listed in your Oracle HCM profile on June 1, 2023, and follow their recommendations for account safety. Keep an eye on your financial accounts (bank, credit card, shopping) for suspicious activity. Consider updating passwords or implementing multifactor authentication if you don’t already have it in place.
Other recommendations
Be on guard for identity theft. More information on this topic is available from the Federal Trade Commission and usa.gov.
Watch your email, text messaging, social media and phone calls for highly targeted phishing attempts that take advantage of this information. Many cybercriminals prefer to launch attacks on weekends and around the holidays.
Frequently Asked Questions
The laboratory was alerted to the breach in the early morning hours of Nov. 20, 2023.
The laboratory was alerted to the breach in the early morning hours of Nov. 20, 2023.
Like many organizations, INL relies on cloud-based systems to perform certain business operations. Oracle is a Department of Energy-approved cloud-based vendor that supports our Human Resources applications like payroll and benefits administration. In this case, the data breach occurred offsite on a federally approved cloud-based system that contained INL data and that was supported by a subcontractor. The test environment of the cloud-based system was accessed by a threat actor who stole sensitive data and posted it online. INL’s own network was not breached.
INL has finalized a contract with Experian to provide no-cost credit monitoring to all individuals (including employees, spouses and dependents) impacted by the data breach. Impacted individuals will receive a joint letter from Experian and INL soon with details on how to enroll in this service, as well as the types of personal information impacted by the data breach.
Contact financial institutions listed in your Oracle HCM profile on June 1, 2023, and follow their recommendations for account safety. Keep an eye on your financial accounts (bank, credit card, shopping) for suspicious activity. Consider updating passwords or implementing multifactor authentication if you don’t already have it in place.
No. The breach only impacted the cloud-based Oracle HCM test environment that resides off-site.
A well-known hacking organization has taken responsibility via social media, but a full investigation must be completed to confirm this information.
In the immediate aftermath of the event, INL worked to restrict access to the environment involved in the breach, alerted federal law enforcement agencies, and began confirming the individuals and the types of information that were compromised. We also worked to notify impacted individuals through internal and external means and provided recommendations to minimize the impact. The laboratory also alerted stakeholders including the Department of Energy, and local, state and federal elected officials.
INL is working with Experian to provide comprehensive, no-cost credit monitoring, identity restoration and identify fraud insurance to all individuals (including employees, spouses and dependents) impacted by the data breach. Impacted individuals will receive a joint letter from Experian and INL soon with details on how to enroll in this service.
Investigations are ongoing and further information about the data breach and future actions will be shared when possible.
We can confirm the release of information for employees (including postdocs, graduate fellows and interns), dependents and spouses in the data breach. Currently, we have not seen any data for subcontractor employees. Multiple forms of sensitive personally identifiable information (PII) including names, social security numbers, salary information and banking details were impacted as outlined below. Impacted employees will receive a joint notification letter from Experian and INL soon.
- Those who were actively employed on June 1, 2023: These individuals have information, including multiple forms of sensitive PII, in the data set impacted in the breach.
- Employees who began active employment after June 1, 2023: These individuals did not have any data impacted by the breach.
- Employees who left INL after June 1, 2023: Individuals who left INL for any reason after June 1, 2023, (e.g., retirement, voluntary or involuntary separation, etc.) have information, including multiple forms of sensitive PII, impacted by the breach.
- Dependents and spouses of employees who were actively employed on June 1, 2023, and/or who left INL after June 1, 2023: These individuals have information, including names and dates of birth, in the data set impacted in the breach.
- Previous employees, (including retirees, interns, grad fellows and postdocs) and their dependents/spouses: We can confirm that names and dates of birth for these individuals were impacted. For some previous employees, we know that other sensitive PII was also exposed.
Yes. INL is working with the Department of Energy, the Federal Bureau of Investigation, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, and other national labs to investigate the breach.
Recommended steps for those who may have been impacted include:
- Placing a free credit freeze on your credit report. This will prevent unauthorized access to your credit history and credit score and prevent an unauthorized individual from taking out a loan or opening new lines of credit in your name. Individuals must establish an online account at each of the U.S. Credit Reporting Agencies: Equifax, Transunion, Experian, Innovis, and National Consumer Telecom and Utilities Exchange.
- Contact financial institutions listed in your Oracle HCM profile on June 1, 2023, and follow their recommendations for account safety. Keep an eye on your financial accounts (bank, credit card, shopping) for suspicious activity. Consider updating passwords or implementing multifactor authentication if you don’t already have it in place.
- Review your credit reports using sources like Annual Credit Report.com.
- Be on guard for identity theft. More information on this topic is available from the Federal Trade Commission and gov.
- Watch your email, text messaging, social media and phone calls for highly targeted phishing attempts that take advantage of this information. Many cybercriminals prefer to launch attacks on weekends and around the holidays.
- The Federal Trade Commission can help you develop a customized identity theft plan. Visit gov, click “Get Started,” and then select “My information was exposed in a data breach.”
- During tax season, bad actors submit tax returns to the IRS and divert refunds to their bank account. The IRS has created a Taxpayer Guide to Identity Theft that may be useful. The IRS also recommends creating an identity protection PIN, but this option is not open until January.
Our investigation is ongoing, but at this time, we have seen limited retirement information included in the breach. The only data included was whether an employee is enrolled in the retirement plan. We have not seen any retirement account details included in the breach.
To help ensure that your information is not compromised, you may want to consider taking advantage of the following security features from Vanguard.
Experian has the capability to cross check addresses and address change requests with the United State Postal Service to ensure the most current address is on file for each individual.
Unfortunately, some deceased individuals and some former employees that live outside the U.S. were also impacted by the data breach. For families of deceased loved ones, we recognize that this presents a unique challenge and we have asked for resources to help. Experian has provided guidelines on Protecting Deceased Individuals to help these families protect their deceased loved ones from identity theft. Families and estates may also contact INL’s Privacy Office at [email protected] with additional questions or for more information.
A small number of former INL employees impacted by the data breach currently reside outside of the U.S. In these countries, identity protection laws and resources vary. Individuals who live outside the U.S. and wish to speak with someone about coverage options can contact INL’s Privacy Office at [email protected].
If you have difficulties registering for Experian’s no-cost, comprehensive credit monitoring, identity theft, and identity restoration services, or receive an invalid access code notification while registering, Experian has provided the following information to assist in the process:
An invalid code error will appear in the following circumstances:
- The code is entered incorrectly, such as lowercase instead of capitalized letters.
- The individual has already initiated the product but closed the browser before finalizing authentication (at that point the code is “burned,” and a fresh membership cannot be initiated).
- In this case, the person should call Experian using the phone number listed in the enrollment letters to verify their identity and gain access to the membership.
- Some browsers trigger the error if the page has been cached. Clearing the browsing history usually fixes the error.
- The individual is using a different URL than the one provided in their letter when trying to enroll.
If you experience any other issues while registering for service, call the Experian phone number listed in your letter for assistance.