An outside contractor hired by the Federal Bureau of Investigations (FBI) breached the agency's computer network and gained access to the passwords of 38,000 employees, the Washington Post reported.
The consultant, Joseph Colon, was an employee of defense contractor BAE Systems with a top-secret security clearance.
According to Colon's lawyers, he was granted permission to hack the network on several occasions by agents at the Springfield, Illinois, field office where he worked.
Colon claimed that frustration with the slow pace of approval for routine assignments drove him to hack the network and gain access to the employee records, using "run-of-the-mill" hacker tricks and scripts that are freely available on the Internet.
The resultant hacks gave Colon access to high-risk information areas, such as the Witness Protection Program. Both the FBI and Colon's lawyers declined to provide more specifics regarding the case.
The FBI has suffered repeated embarrassments over its outdated computer systems and its expenditure of millions of dollars on a potential upgrade that was abandoned.
It also came under heavy scrutiny for extending a five-year, multimillion-dollar deal for technology services to ChoicePoint, the data broker most famous for being hacked by a ring of Nigerian identity thieves.
Government agencies have been dealing with issues of third-party security and improving data protection in wildly different ways, often depending on the agency's internal culture and its views on technology.
Many federal agencies -- including the FBI -- do not maintain proper oversight of the contractors who have access to Social Security numbers, according to a Government Accountability Office (GAO) report.
Another GAO report found that the IRS had "significant weaknesses" in collecting and protecting taxpayer data. That report also mentioned lack of oversight and training for contractors as a potential security risk.(/news04/2006/03/gao_irs.html)
Government and business leaders have each admonished the other side to do more about protecting the data they collect.
The Federal Trade Commission (FTC) testified before Congress that data brokerage businesses like ChoicePoint should be more vigilant in protecting Social Security numbers, but that such collections were necessary to ensure the continuation of business that relies on customer information.
A survey conducted by the National Association for Information Destruction (NAID) found that the requirements for "shredding" enacted as part of the Fair and Accurate Credit Transaction Act (FACTA) does not go nearly far enough to ensure businesses destroy their paper data records, and that government should push for stronger data protection laws.