In yet another example showing that clueless consumers aren't the only ones who fall victim to computer scams, the Oak Ridge National Laboratory yesterday disclosed that phishing attacks may have provided cybercrooks with access to personal data on people who visited the lab between 1990 and 2004.
In an e-mail sent to staffers this week, Thom Mason, director of the government research facility, reported that the lab has been the target of what he described as a sophisticated cyberattack by hackers seeking to gain access to computer networks at numerous research facilities and other government institutions across the country.
According to the note, the unknown hackers gained access to a nonclassified laboratory database, which contained personal information on people who have visited the facility in Oak Ridge, Tennessee, over a 14-year period starting in 1990.
Mason said the hackers made about 1,100 attempts to steal data by sending an unknown number of staffers a total of seven phishing e-mails. It was not immediately clear from the letter if that meant a total of 1,100 such e-mails were sent or if 1,100 separate attempts were made to send such messages to the organization.
According to Mason's e-mail, the phishing e-mails appeared legitimate and attempted to persuade recipients to open attachments or links. One of the bogus e-mails, for instance, purported to notify individuals of a scientific conference. Another pretended to notify the recipients of Federal Trade Commission complaint, he noted.
"At present, we believe that about 11 staffers opened the attachments, which enabled the hackers to infiltrate the system and remove data," Mason's note stated.
"Reconstructing this event is a very tedious and time-consuming effort that likely will take weeks, if not longer, to complete," he added. Meanwhile, he said, the lab is attempting to notify all the potential victims, whose Social Security numbers, names and dates of birth may have been pilfered.
The Oak Ridge incident is the second recent widely publicized phishing attack on a large organization. Earlier this year, grocery chain Supervalu Inc. was nearly scammed out of US$10 million by phishers.
In that incident, the company received e-mails that falsely claimed to be from two of its approved suppliers -- American Greetings and PepsiCo's Frito-Lay unit. The e-mails instructed Supervalu to send future payments to both suppliers to new bank accounts, one in Florida and the other in Arkansas.
The company sent over US$10 million to these fake accounts before realizing that it had been conned.