Campus Alert Archive
INL

Hacktivists Breach a Nuclear Research Lab's HR System, Email Every Employee Their Own Records

IDinfrastructure failureadvisorymedium confidence
Confirmed Threat

Over the weekend of November 19-20, 2023, the SiegedSec hacktivist group claimed it had breached Idaho National Laboratory's Oracle HCM human-resources system and leaked tens of thousands of employee records including names, dates of birth, addresses, Social Security numbers, salaries, and direct-deposit information. INL — a Department of Energy lab that hosts the Center for Advanced Energy Studies jointly operated with Idaho State University, Boise State, the University of Idaho, and the University of Wyoming — sent a campus-wide notice to all employees and CAES-affiliated graduate students on Monday morning. The breach is widely credited as the largest publicly documented hack of a US national laboratory of the decade.

Alerts
3
Response
min
Killed
0
Injured
0
Institution
Idaho National Laboratory
Other · ID
0INL Alert
Confirmed Timeline

Alert Sequence

3 messages in sequence · 1 verified verbatim

Some alert texts below are approximate reconstructions from news coverage, not confirmed verbatim transcripts. Reconstructed texts are shown in italic with a dashed border. Verified verbatim texts have a solid border and are marked accordingly.

INITIAL ALERTEmail
Verified verbatimIdaho National Laboratory community notice — quoted verbatim by East Idaho News and the Idaho Statesman649 chars
Over the weekend of November 19, Idaho National Laboratory identified that it was the target of a cybersecurity data breach involving Oracle HCM, which supports our human resources applications. INL has taken immediate action and has engaged federal law enforcement, including the Federal Bureau of Investigation and the Cybersecurity and Infrastructure Security Agency, to investigate the extent of data impacted in this incident. INL will be in direct contact with employees about resources available to them in the coming days. Out of an abundance of caution, please continue to monitor your financial accounts and report any suspicious activity.
INL names Oracle HCM in the very first notice — unusually specific, because SiegedSec had already posted the system's name publicly.
DOE labs are subject to faster disclosure requirements than private institutions under [CISA's CIRCIA reporting framework](https://www.cisa.gov/circia).
UPDATEEmail+6 h
Approximate reconstructionReconstructed from CAES partner-university notices forwarded to graduate students552 chars
This message is being shared with Idaho State University, Boise State University, University of Idaho, and University of Wyoming graduate students and faculty who have appointments at the Center for Advanced Energy Studies. Idaho National Laboratory has disclosed a cybersecurity incident involving its human resources system. If you have ever held an INL appointment, fellowship, or joint appointment, your personal information may have been exposed. Please follow the guidance in the INL community notice. Your home institution has not been breached.

This text has been reconstructed from news coverage and may not reflect the exact original wording.

Important reassurance: 'Your home institution has not been breached.' Graduate students at four partner universities had to be told their own school's systems were unaffected.
Joint-appointment data is a recurring vulnerability — researchers exist in two HR systems at once and a breach of either exposes them.
FOLLOW-UPEmail+11d
Approximate reconstructionReconstructed from INL formal breach-notification letter as quoted by East Idaho News576 chars
Idaho National Laboratory has determined that the personal information of current and former employees was accessed in the November 19, 2023 cybersecurity incident affecting Oracle HCM. Affected data may include name, date of birth, Social Security number, residential address, marital status, employment status, salary, and direct-deposit bank account information. INL is offering two years of complimentary credit monitoring and identity-theft protection through Experian IdentityWorks. Enrollment instructions and an activation code have been mailed to the address on file.

This text has been reconstructed from news coverage and may not reflect the exact original wording.

Two-year credit-monitoring offer is the new federal contractor standard following [OMB Memorandum M-22-09](https://www.whitehouse.gov/wp-content/uploads/2022/01/M-22-09.pdf).
Bank account and direct-deposit numbers are an unusually high-impact data class — most university breaches don't include payroll routing information.
Context

Background

Idaho National Laboratory is one of seventeen Department of Energy national laboratories and the lead US lab for nuclear-reactor R&D. INL operates jointly with Idaho State University, Boise State, the University of Idaho, and the University of Wyoming through the Center for Advanced Energy Studies (CAES) in Idaho Falls, so a breach of INL HR data automatically exposes graduate students and faculty across four state universities. Over the weekend of November 18-19, 2023, SiegedSec — a hacktivist crew that mixes furry-fandom imagery with political messaging — claimed it had pulled approximately 45,000 employee records from INL's Oracle HCM tenant and published samples on Telegram. INL confirmed the breach on Monday November 20 in a community notice quoted verbatim by East Idaho News and BleepingComputer. The FBI and CISA were engaged. The CAES partner universities sent follow-on notices to their own joint-appointed students. Formal breach notifications with two-year credit-monitoring offers went out in early December 2023. Members of Congress later cited the INL breach in questioning DOE on cloud-HR risk at federally funded research and development centers.
Analysis

Key Findings

SiegedSec breached INL's Oracle HCM (cloud HR) tenant rather than INL's classified or unclassified internal networks — a now-common pattern of SaaS-tenant compromise.
Approximately 45,000 employee records were exposed, including direct-deposit banking information — an unusually severe data class.
Graduate students and faculty at four CAES partner universities (Idaho State, Boise State, U of Idaho, U of Wyoming) were caught in the breach via joint INL appointments.
Incident drove Congressional scrutiny of cloud-HR risk at DOE national laboratories and federally funded research centers.
Outcome
INL confirmed the breach on November 20, 2023, brought in the FBI and CISA, took the Oracle HCM tenant offline, and notified individuals beginning in early December. SiegedSec posted samples but did not appear to monetize the data; the group has framed itself as a furry-themed hacktivist collective rather than a financially motivated one.
Provenance

Sources

  1. national media
    Idaho National Laboratory discloses massive data breach — BleepingComputer
    bleepingcomputer.com
  2. national media
    Idaho National Laboratory cyberattack: SiegedSec claims responsibility — The Record
    therecord.media
  3. Official
    INL Cybersecurity Incident page
    inl.gov
  4. News
    INL data breach: what we know — East Idaho News
    eastidahonews.com
Tags
cyberattackdata-breachhacktivismsiegedsecoracle-hcmnational-laboratoryidahojoint-appointmentinfrastructure-failure
Added May 2026Updated May 2026Via ingestion