In July 2007, the U.S. Department of Energy moved to fine the lab for an October 2006 breach that exposed classified data. A contract worker illegally downloaded and removed hundreds of pages of data from the lab using USB thumb drives.

Also in mid-2007, U.S. lawmakers criticized the lab after reports that several officials there had used unprotected e-mail networks to share highly classified information.

There were other security problems at the lab, including instances in 2003 and 2004 when the lab could not account for classified removable electronic media, such as compact discs and removable hard drives.

A lab spokesman did not immediately return an e-mail seeking comment on the GAO report. The DOE's National Nuclear Security Administration (NNSA), while it said it generally agreed with the report, said the lab has made progress in its cybersecurity efforts.

Many of the shortcomings have been addressed, said Michael Kane, associate administrator for the NNSA, in a letter to the GAO. In response to a DOE compliance order issued in 2007, "a number of key technical issues and policy implementation concerns have been or are currently being addressed," Kane said.