The Army National Guard has experienced a data breach via an unnamed contractor. The laptop was stolen on July 27. A total of 131,000 former and current guard members are affected. It was not revealed whether adequate data protection was used on the laptop. Hard drive encryption from AlertBoot, for example, would give some reassurance that the information of guard members would not be used for fraudulent purposes.
Army National Guard Bonus and Incentives Program
According to the ng.mil site, the stolen computer was a personal laptop belonging to a contractor (although, a FAQ on the site claims it was stolen “from an Army National Guard employee”).
Also, it seems to affect only soldiers who enrolled in the Army National Guard Bonus and Incentives Program. Stolen data includes names, SSNs, and payment amounts and their dates.
Based on the above, I’m jumping to the conclusion that the contractor in this case is an accountant, or at least works in an accounting-related field (I presume the SSNs are required for tax reporting purposes).
131,000 names and SSNs on a laptop. That’s a lot of SSNs.
Was Data Encryption Software Used?
No matter what type of computer one’s using–a desktop, laptop, or other–and where one’s using it–the office, at home, an underground bunker, etc.–when one’s dealing with over 100,000 names and SSNs, it’s always a good idea to have some additional protection for that data.
A solution like hard disk drive encryption would prevent unauthorized access to the data in the event that a computer is lost or stolen. The use of file encryption would ensure the integrity of the data if a file were saved to a CD or even e-mailed by mistake.
So, was encryption used? My brain is giving me mixed signals here. On the one hand, I was under the impression that the military requires any sensitive data-at-rest to be encrypted.
On the other, this is a private contractor (supposedly), so such rules wouldn’t extend to this person.
On the other other hand, I’ve concluded that this contractor works in the financial industry, which means that he or she must have known that you can’t go around with 131,000 SSNs on your laptop without some type of data protection program.
The clincher for me, though, is the fact that the use of encryption is not mentioned anywhere. Usually, encryption is mentioned only when it’s used (so far, I haven’t found too many companies and organizations that announce a data breach and the fact that their stolen computer was unencrypted; it’s not something to be proud of). So, if I had to bet money, I’d say we’re looking at a full-blown data breach.
Related Articles and Sites: