The Stars and Stripes is carrying a small notice that a CD with information on retirees was lost in the last week of August. The breach affected non-appropriated fund retirees. The incident could have been easily prevented by the use of data at rest encryption software like AlertBoot. In fact, the military already has a commitment to use encryption for protecting personnel data. What went wrong here?
A CD with information on 25,000 NAF retirees was sent from Virginia to Texas via mail. The CD contained the following: names, SSNs, dates of birth, and retirement data (dates, type of retirement, term data, dates of service, etc).
This is not the first time that CDs have gone missing Ito a particular destination. Heck, there was even that incidence where radioactive rods went missing from a year ago (they were eventually found).
Nor is this the first time that the military has had problems with data breaches. In fact, if you follow the previous link, I commented that:
After a number of embarrassing breaches, the Department of Defense instituted a policy where data on removable devices-such as CDs and portable USB drives–were supposed to be encrypted. This became a requirement sometime around December 2007.
I remember this because there were reports around the same time that the US Air Force had decided to extend the requirement to all of their laptops. A later order banned the use of USB drives in military computers because of malware concerns (viruses stealing military access codes and the like).
Now, in the above case, I was commenting on a breach was prompted by a contractor, so I shrugged it off. While contractors might sign an agreement to use encryption software to protect sensitive personnel info, history has shown us that some of these promises are not worth the paper they’re printed on.
In this case, though, it looks like the breach is being blamed squarely on the military proper. What happened?
I can only think of two things. The first scenario is where NAF is not strictly military personnel but work under some kind of arrangement with the Department of Defense. This doesn’t really explain why the Army is sending out notices, though.
The second scenario is much more hum-drum: someone screwed up. Someone in charge of sending the CD out was supposed to protect data with encryption but forgot to do so. (There is also the possibility that the process of encrypting data was too confusing that the person thought he or she did encrypt the CD, contrary to what actually happened).
Large Databases Require Encryption
I’m pointing out the obvious, but the last thing you want to have is a situation where names, birthdates, and Social Security numbers are lost on a massive scale. Despite appearances, CDs store massive amounts of data. The last thing you want to do is copy 25,000 sets of sensitive data without using cryptographic protection.