PII Has No Shelf Life

By Steve Muck - Published, May 14, 2008

The following synopsis of a recently reported loss or breach of personally identifiable information (PII) highlights common mishandling mistakes made by individuals within the Department of the Navy. Names have been changed, but details are factual and based on reports sent to the DON Privacy office.

On Jan. 5, 2008, a government employee was notified by the local police department that "someone had stolen his identity and was about to use his credit card to buy a big screen TV at a major department store." Four suspects were arrested when an alert salesperson became suspicious of the purchase.

One of the suspects was in possession of a two-page report dated 1994 containing government employment data. That same individual had in his possession other credit cards, four of which were related to additional names in the compromised report. The report contained names, Social Security numbers, dates of birth, organization codes, position titles and other employment related data.

It is unknown how the individual(s) came to be in possession of this hard copy report and whether additional pages of this report have also been compromised.

All affected employees and former employees whose information appears on the compromised list have been notified or are in the process of being notified.

The Naval Criminal Investigative Service (NCIS), the Federal Bureau of Investigation (FBI) and the Secret Service were all involved to some extent in this first-of-a-kind Department of the Navy identity theft incident.

Lessons Learned

  • Compromised PII data can be used by thieves for many years to come.
  • Wherever possible, delete Social Security numbers and sensitive personal information from any list, database or e-mail before transmission or storage. SSNs are a critical element for bad guys to use in stealing personal identities.
  • Routinely review files and destroy PII by making it unrecognizable when no longer needed.
  • With any identity theft, immediately file a police report, contact the Federal Trade Commission web site at www.ftc.gov/idtheft and close any accounts that have been tampered with or established fraudulently. The FTC also recommends that you place a "Fraud Alert" on your credit reports and review the reports carefully.
Steve Muck is the DON CIO privacy team lead.

TAGS: Cybersecurity, Privacy

Related News
Related CHIPS Magazine