Probe Targets Archives' Handling Of Data On 70 Million Vets

[allan]

Sent: Tuesday, October 06, 2009 9:39

Subject: Probe Targets Archives' Handling of Data on 70 Million Vets

Threat Level Wired.com

All Wired Top Stories Magazine Wired Blogs Video Threat Level Privacy,

Crime and Security Online <http://www.wired.com/threatlevel>

Probe Targets Archives' Handling of Data on 70 Million Vets

By Ryan Singel <http://www.wired.com/threatlevel/author/ryan_singel/>

Email Author <mailto:ryan@ryansingel.net>

October 1, 2009 8:05 am

The inspector general of the National Archives and Records

Administration is investigating a potential data breach affecting tens

of millions of records about U.S. military veterans, Wired.com has

learned. The issue involves a defective hard drive the agency sent back

to its vendor for repair and recycling without first destroying the

data.

The hard drive helped power eVetRecs

<http://www.archives.gov/veterans/evetrecs/> , the system veterans use

to request copies of their health records and discharge papers. When the

drive failed in November of last year, the agency returned the drive to

GMRI, the contractor that sold it to them, for repair. GMRI determined

it couldn't be fixed, and ultimately passed it to another firm to be

recycled.

The incident was reported to NARA's inspector general by Hank Bellomy, a

NARA IT manager, who charges that the move put 70 million veterans at

risk of identity theft, and that NARA's practice of returning hard

drives unsanitized was symptomatic of an irresponsible security mindset

unbecoming to America's record-keeping agency.

"This is the single largest release of personally identifiable

information by the government ever," Bellomy told Wired.com. "When the

USDA did the same thing, they provided credit monitoring for all their

employees. We leaked 70 million records, and no one has heard a word of

it."

But NARA says the lost drive is not a problem because its contractors

signed privacy promises in their contracts, though the agency has since

changed its policy to require that sensitive media be destroyed by NARA

itself.

The drive was part of a RAID array of six drives containing an Oracle

database that held detailed records on 76 million veterans, including

millions of Social Security numbers dating to 1972, when the military

began using individuals' Social Security numbers as their service

numbers.

When the unencrypted drive failed, Bellomy says he tried to subvert the

longstanding recycling policy by hiding the drive in his safe. But it

was taken out of his control when he was put on long-term leave. Under

the conditions of the maintenance contract, if NARA did not return the

drive, GMRI would have billed the agency $2,000 for a replacement.

He adds that more drives failed after the November incident, and that he

performed a forensic scan on them to prove that they were full of

sensitive data.

"I said you can't turn them back in. The data is Privacy Act - it's

against the law," Bellomy told Wired.com. "We have no clue how many

drives have been sent back over the past seven years since this system

was in place. I am a government employee and I'm a veteran, and just

this year had both my credit cards replaced because they were

compromised."

The Pentagon requires that old drives be degaussed (de-magnified) or

physically destroyed. In a 2006 report still in effect, the National

Institute of Standards and Technology recommended purging and

destruction methods

<http://csrc.nist.gov/publications/nistpubs...800-88_rev1.pdf

> (.pdf), while OMB rules

<http://www.whitehouse.gov/OMB/memoranda/fy2006/m06-16.pdf> (.pdf)

dating to the same year require that agencies follow those NIST

standards and encrypt sensitive data being sent or stored remotely.

But NARA says that while it no longer will send back drives, no rules

were broken, and that warning veterans would cause unnecessary fear.

"NARA does not believe that a breach of PII (personally identifiable

information) occurred, and therefore does not believe that notification

is necessary or appropriate at this time," NARA told Wired.com in an

e-mailed background paper

<http://www.wired.com/images_blogs/threatle...09/sun-disk.pdf>

(pdf). "This view could change if the [inspector general] investigation

of this incident later determines that GMRI ... or their subcontractors

took some illegal or unethical action that may have compromised

sensitive data contained on the inoperable November 2008 disk drive."

As part of a six disk RAID 5 set-up, the drive likely contained about 18

percent of the database, and the disk also likely contained a quick

look-up table that included all veterans' names and service-record

numbers, according to Bellomy.

US-CERT, the nation's clearinghouse for data breaches and hacks, was

notified in February by a NARA employee named Thomas Bennett, according

to a document

<http://www.wired.com/images_blogs/threatle...ra-drive-uscert

.pdf> (.pdf) Bellomy provided to Wired.com.

"The information system contains a significant amount of Personally

Identifiable Information (PII) and Sensitive PII about veterans," wrote

Thomas Bennett, a NARA employee. "As a result, we believe that is likely

that the defective drive contains PII and SPII. At this time, we are

trying to determine the location and status of the drive."

The status of the NARA investigation is unclear, though the incident was

alluded to in a recent report on the inspector general's activity.

"We are aware of the incidents and are looking into it," said Ross

Weiland, the assistant inspector general for investigations at NARA . He

declined further comment.

This isn't the first time that veteran's data has been lost or that NARA

has been investigated for controversial data-handling practices.

The Veteran's Administration lost a laptop containing personal records

on more than 25 million veterans in 2005 and, earlier this year, settled

a class action suit over the breach by paying out $20 million

<http://www.gcn.com/Articles/2009/02/02/VA-...it-settlement.a

spx> .

NARA recently lost a hard drive full of data from the Clinton White

House, including 100,000 Social Security numbers, political records and

event logs. The data has still not been located.

Both the House Oversight Committee for Veterans Affairs and an oversight

committee for NARA were notified of the lost drive, but neither

committee returned calls seeking comment.

President Obama's pick for a new archivist, David S. Ferriero, is

scheduled for a Senate confirmation hearing Thursday at 2:30.

"Keep on, Keepin' on"

Dan Cedusky, Champaign IL "Colonel Dan"

See my web site at:

http://www.angelfire.com/il2/VeteranIssues/