There’s an update to the Savannah River Site (USDOE) breach reported back in March, but I don’t know that it really clarifies that much. Mike Gellatly reports:
The personal information of some 12,000 Savannah River Site employees stolen earlier this year was not “improperly distributed,” though it was found in the hands of a Site employee.
In an email distributed to SRS employees Monday, Dr. David Moody, manager of the Department of Energy-owned site, said the picture of the compromising of personally identifiable information has become clearer.
[…]
“I want to take this opportunity to follow up on my March 5 Savannah River Site employee communication,” Moody wrote. “The event that triggered the message was the discovery of personally identifiable information in the possession of an SRS employee. The circumstances surrounding the possession have since been clarified; there is no indication that the employee improperly distributed or compromised your PII.”
[…]
So was it really data theft? Or did an employee just transfer data to a device or email account for work purposes, but without authorization? Or was the employee planning to distribute/sell the information but got caught in time?
Dr. Moody’s e-mail seems to leave something to be desired in the way of disclosure and transparency, unless there was more to his email that did not get published in the Aiken Standard.