Los Alamos National Laboratory warned employees about protecting themselves against identity theft after the names and Social Security numbers of 550 lab workers were posted on a Web site run by a subcontractor working on a security system.
An April 5 letter to the employees from Jan A. Van Prooyen, the lab's acting deputy director, said the problem was discovered the previous week when a lab employee happened upon the Web site of a software services company that had been hired years before.
Clicking a link and entering a password provided online led to a table that included names, and in some cases, Social Security numbers, of people who entered certain lab sites around 1998, the letter said.
Van Prooyen said the lab wasn't aware of "this unauthorized use" of personal information until March 28, and that the former subcontractor removed the information that afternoon after the lab contacted the company.
The issue is among cybersecurity matters to be discussed Friday at a hearing of the Oversight and Investigations Subcommittee of the House Energy and Commerce Committee.
Rep. Bart Stupak, D-Mich., chairman of the oversight subcommittee, said the panel has already held a dozen hearings on problems at the lab, and that "absent significant improvements, we will be seeking alternative locations in the DOE (Department of Energy) complex for having this classified work performed."
Kevin Roark, a spokesman for the lab, said Wednesday it was "widely inappropriate to use actual people's names and actual people's information" in the demonstration software program by Albuquerque-based Lujan Software Services.
A call from The Associated Press to Lujan Software Services was not immediately returned.
Van Prooyen's letter said the lab did not know how long the information had been online. However, it said the information wasn't likely to have been misused given that it was buried within the Web site, the site did not appear to have been widely accessed and the subcontractor's business had not been active for about two years.
The letter acknowledged the "potential compromise of your Social Security number," and included five steps for people to take to guard against identity theft. Those include considering placing a fraud alert on credit files and being alert for bills that don't arrive on time or receiving credit cards for which they hadn't applied.
Roark said lab Director Michael Anastasio is prepared to respond to questions about the posting of personal information on the Web site.
However, he said, Anastasio's remarks will focus on "our demonstrable progress in making cybersecurity improvements over the past few months."
"He's got real result to give them," he said.
The University of California ran the lab for more than 60 years, but a series of security breaches led the DOE to put the contract out for bid. Last June, a new management team, which includes Bechtel Corp. and the university, took over.