HadIt.com Elder allan Posted October 12, 2009 HadIt.com Elder Share Posted October 12, 2009 Sent: Tuesday, October 06, 2009 9:39 Subject: Probe Targets Archives' Handling of Data on 70 Million Vets Threat Level Wired.com All Wired Top Stories Magazine Wired Blogs Video Threat Level Privacy, Crime and Security Online <http://www.wired.com/threatlevel> Probe Targets Archives' Handling of Data on 70 Million Vets By Ryan Singel <http://www.wired.com/threatlevel/author/ryan_singel/> Email Author <mailto:ryan@ryansingel.net> October 1, 2009 8:05 am The inspector general of the National Archives and Records Administration is investigating a potential data breach affecting tens of millions of records about U.S. military veterans, Wired.com has learned. The issue involves a defective hard drive the agency sent back to its vendor for repair and recycling without first destroying the data. The hard drive helped power eVetRecs <http://www.archives.gov/veterans/evetrecs/> , the system veterans use to request copies of their health records and discharge papers. When the drive failed in November of last year, the agency returned the drive to GMRI, the contractor that sold it to them, for repair. GMRI determined it couldn't be fixed, and ultimately passed it to another firm to be recycled. The incident was reported to NARA's inspector general by Hank Bellomy, a NARA IT manager, who charges that the move put 70 million veterans at risk of identity theft, and that NARA's practice of returning hard drives unsanitized was symptomatic of an irresponsible security mindset unbecoming to America's record-keeping agency. "This is the single largest release of personally identifiable information by the government ever," Bellomy told Wired.com. "When the USDA did the same thing, they provided credit monitoring for all their employees. We leaked 70 million records, and no one has heard a word of it." But NARA says the lost drive is not a problem because its contractors signed privacy promises in their contracts, though the agency has since changed its policy to require that sensitive media be destroyed by NARA itself. The drive was part of a RAID array of six drives containing an Oracle database that held detailed records on 76 million veterans, including millions of Social Security numbers dating to 1972, when the military began using individuals' Social Security numbers as their service numbers. When the unencrypted drive failed, Bellomy says he tried to subvert the longstanding recycling policy by hiding the drive in his safe. But it was taken out of his control when he was put on long-term leave. Under the conditions of the maintenance contract, if NARA did not return the drive, GMRI would have billed the agency $2,000 for a replacement. He adds that more drives failed after the November incident, and that he performed a forensic scan on them to prove that they were full of sensitive data. "I said you can't turn them back in. The data is Privacy Act - it's against the law," Bellomy told Wired.com. "We have no clue how many drives have been sent back over the past seven years since this system was in place. I am a government employee and I'm a veteran, and just this year had both my credit cards replaced because they were compromised." The Pentagon requires that old drives be degaussed (de-magnified) or physically destroyed. In a 2006 report still in effect, the National Institute of Standards and Technology recommended purging and destruction methods <http://csrc.nist.gov/publications/nistpubs...800-88_rev1.pdf > (.pdf), while OMB rules <http://www.whitehouse.gov/OMB/memoranda/fy2006/m06-16.pdf> (.pdf) dating to the same year require that agencies follow those NIST standards and encrypt sensitive data being sent or stored remotely. But NARA says that while it no longer will send back drives, no rules were broken, and that warning veterans would cause unnecessary fear. "NARA does not believe that a breach of PII (personally identifiable information) occurred, and therefore does not believe that notification is necessary or appropriate at this time," NARA told Wired.com in an e-mailed background paper <http://www.wired.com/images_blogs/threatle...09/sun-disk.pdf> (pdf). "This view could change if the [inspector general] investigation of this incident later determines that GMRI ... or their subcontractors took some illegal or unethical action that may have compromised sensitive data contained on the inoperable November 2008 disk drive." As part of a six disk RAID 5 set-up, the drive likely contained about 18 percent of the database, and the disk also likely contained a quick look-up table that included all veterans' names and service-record numbers, according to Bellomy. US-CERT, the nation's clearinghouse for data breaches and hacks, was notified in February by a NARA employee named Thomas Bennett, according to a document <http://www.wired.com/images_blogs/threatle...ra-drive-uscert .pdf> (.pdf) Bellomy provided to Wired.com. "The information system contains a significant amount of Personally Identifiable Information (PII) and Sensitive PII about veterans," wrote Thomas Bennett, a NARA employee. "As a result, we believe that is likely that the defective drive contains PII and SPII. At this time, we are trying to determine the location and status of the drive." The status of the NARA investigation is unclear, though the incident was alluded to in a recent report on the inspector general's activity. "We are aware of the incidents and are looking into it," said Ross Weiland, the assistant inspector general for investigations at NARA . He declined further comment. This isn't the first time that veteran's data has been lost or that NARA has been investigated for controversial data-handling practices. The Veteran's Administration lost a laptop containing personal records on more than 25 million veterans in 2005 and, earlier this year, settled a class action suit over the breach by paying out $20 million <http://www.gcn.com/Articles/2009/02/02/VA-...it-settlement.a spx> . NARA recently lost a hard drive full of data from the Clinton White House, including 100,000 Social Security numbers, political records and event logs. The data has still not been located. Both the House Oversight Committee for Veterans Affairs and an oversight committee for NARA were notified of the lost drive, but neither committee returned calls seeking comment. President Obama's pick for a new archivist, David S. Ferriero, is scheduled for a Senate confirmation hearing Thursday at 2:30. "Keep on, Keepin' on" Dan Cedusky, Champaign IL "Colonel Dan" See my web site at: http://www.angelfire.com/il2/VeteranIssues/ Link to comment Share on other sites More sharing options...
Question
allan
Sent: Tuesday, October 06, 2009 9:39
Subject: Probe Targets Archives' Handling of Data on 70 Million Vets
Threat Level Wired.com
All Wired Top Stories Magazine Wired Blogs Video Threat Level Privacy,
Crime and Security Online <http://www.wired.com/threatlevel>
Probe Targets Archives' Handling of Data on 70 Million Vets
By Ryan Singel <http://www.wired.com/threatlevel/author/ryan_singel/>
Email Author <mailto:ryan@ryansingel.net>
October 1, 2009 8:05 am
The inspector general of the National Archives and Records
Administration is investigating a potential data breach affecting tens
of millions of records about U.S. military veterans, Wired.com has
learned. The issue involves a defective hard drive the agency sent back
to its vendor for repair and recycling without first destroying the
data.
The hard drive helped power eVetRecs
<http://www.archives.gov/veterans/evetrecs/> , the system veterans use
to request copies of their health records and discharge papers. When the
drive failed in November of last year, the agency returned the drive to
GMRI, the contractor that sold it to them, for repair. GMRI determined
it couldn't be fixed, and ultimately passed it to another firm to be
recycled.
The incident was reported to NARA's inspector general by Hank Bellomy, a
NARA IT manager, who charges that the move put 70 million veterans at
risk of identity theft, and that NARA's practice of returning hard
drives unsanitized was symptomatic of an irresponsible security mindset
unbecoming to America's record-keeping agency.
"This is the single largest release of personally identifiable
information by the government ever," Bellomy told Wired.com. "When the
USDA did the same thing, they provided credit monitoring for all their
employees. We leaked 70 million records, and no one has heard a word of
it."
But NARA says the lost drive is not a problem because its contractors
signed privacy promises in their contracts, though the agency has since
changed its policy to require that sensitive media be destroyed by NARA
itself.
The drive was part of a RAID array of six drives containing an Oracle
database that held detailed records on 76 million veterans, including
millions of Social Security numbers dating to 1972, when the military
began using individuals' Social Security numbers as their service
numbers.
When the unencrypted drive failed, Bellomy says he tried to subvert the
longstanding recycling policy by hiding the drive in his safe. But it
was taken out of his control when he was put on long-term leave. Under
the conditions of the maintenance contract, if NARA did not return the
drive, GMRI would have billed the agency $2,000 for a replacement.
He adds that more drives failed after the November incident, and that he
performed a forensic scan on them to prove that they were full of
sensitive data.
"I said you can't turn them back in. The data is Privacy Act - it's
against the law," Bellomy told Wired.com. "We have no clue how many
drives have been sent back over the past seven years since this system
was in place. I am a government employee and I'm a veteran, and just
this year had both my credit cards replaced because they were
compromised."
The Pentagon requires that old drives be degaussed (de-magnified) or
physically destroyed. In a 2006 report still in effect, the National
Institute of Standards and Technology recommended purging and
destruction methods
<http://csrc.nist.gov/publications/nistpubs...800-88_rev1.pdf
> (.pdf), while OMB rules
<http://www.whitehouse.gov/OMB/memoranda/fy2006/m06-16.pdf> (.pdf)
dating to the same year require that agencies follow those NIST
standards and encrypt sensitive data being sent or stored remotely.
But NARA says that while it no longer will send back drives, no rules
were broken, and that warning veterans would cause unnecessary fear.
"NARA does not believe that a breach of PII (personally identifiable
information) occurred, and therefore does not believe that notification
is necessary or appropriate at this time," NARA told Wired.com in an
e-mailed background paper
<http://www.wired.com/images_blogs/threatle...09/sun-disk.pdf>
(pdf). "This view could change if the [inspector general] investigation
of this incident later determines that GMRI ... or their subcontractors
took some illegal or unethical action that may have compromised
sensitive data contained on the inoperable November 2008 disk drive."
As part of a six disk RAID 5 set-up, the drive likely contained about 18
percent of the database, and the disk also likely contained a quick
look-up table that included all veterans' names and service-record
numbers, according to Bellomy.
US-CERT, the nation's clearinghouse for data breaches and hacks, was
notified in February by a NARA employee named Thomas Bennett, according
to a document
<http://www.wired.com/images_blogs/threatle...ra-drive-uscert
.pdf> (.pdf) Bellomy provided to Wired.com.
"The information system contains a significant amount of Personally
Identifiable Information (PII) and Sensitive PII about veterans," wrote
Thomas Bennett, a NARA employee. "As a result, we believe that is likely
that the defective drive contains PII and SPII. At this time, we are
trying to determine the location and status of the drive."
The status of the NARA investigation is unclear, though the incident was
alluded to in a recent report on the inspector general's activity.
"We are aware of the incidents and are looking into it," said Ross
Weiland, the assistant inspector general for investigations at NARA . He
declined further comment.
This isn't the first time that veteran's data has been lost or that NARA
has been investigated for controversial data-handling practices.
The Veteran's Administration lost a laptop containing personal records
on more than 25 million veterans in 2005 and, earlier this year, settled
a class action suit over the breach by paying out $20 million
<http://www.gcn.com/Articles/2009/02/02/VA-...it-settlement.a
spx> .
NARA recently lost a hard drive full of data from the Clinton White
House, including 100,000 Social Security numbers, political records and
event logs. The data has still not been located.
Both the House Oversight Committee for Veterans Affairs and an oversight
committee for NARA were notified of the lost drive, but neither
committee returned calls seeking comment.
President Obama's pick for a new archivist, David S. Ferriero, is
scheduled for a Senate confirmation hearing Thursday at 2:30.
"Keep on, Keepin' on"
Dan Cedusky, Champaign IL "Colonel Dan"
See my web site at:
http://www.angelfire.com/il2/VeteranIssues/
Link to comment
Share on other sites
Top Posters For This Question
1
Popular Days
Oct 12
1
Top Posters For This Question
allan 1 post
Popular Days
Oct 12 2009
1 post
0 answers to this question
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now