Former NSA contractor Edward Snowden reportedly gained access to classified data after persuading several co-workers to reveal their passwords.
As many as 20 to 25 workers at a National Security Agency base in Hawaii revealed their login credentials to Snowden, allowing him to obtain some of the documents that he eventually leaked to the media, Reuters reported on Friday.
Citing a "source close to several U.S. government investigations into the damage caused by the leaks," Reuters said that Snowden convinced his co-workers that he needed their passwords in his capacity as a computer systems administrator. Some of the employees who shared their passwords were identified, questioned, and removed from their assignments, another source told Reuters. But it wasn't clear if they were assigned to other jobs or actually fired from the agency.
If true, this report shows that often the greatest security risk to an organization lies within rather than without. Even if the NSA had implemented the necessary security software, a simple shared password could still have given Snowden access to all the classified data he wanted.
"In the classified world, there is a sharp distinction between insiders and outsiders," Steven Aftergood, a secrecy expert with the Federation of American Scientists, told Reuters. "If you've been cleared, and especially if you've been polygraphed, you're an insider and you are presumed to be trustworthy. What agencies are having a hard time grappling with is the insider threat, the idea that the guy in the next cubicle may not be reliable."
A spokesman for the NSA told CNET that he had no comment on the investigations.