In February 2018, a breach of personally identifiable information (PII) was reported to the Office of the Chief Information Officer (OCIO), formerly the Department of the Navy CIO, by a DON component. This breach involved the emailing of an unencrypted Defense Travel System (DTS) Excel spreadsheet containing bank electronic funds transfer (EFT) information, bank routing numbers, truncated Social Security numbers, truncated credit card information, residential addresses, and emergency contact information affecting several hundred individuals. The document that was not encrypted, was emailed to individuals without a need to know and did not reflect the proper security markings as required in the DON Privacy Program instruction, SECNAVINST 5211.5E.
Because of the sensitivity of the PII and the potential for unauthorized disclosure, affected individuals were notified by email and an additional notification was delivered by United States Postal Service to ensure receipt. A mass deletion of the email from the DON component’s servers was completed the day following the breach and all recipients were directed to delete the email. A command investigation was also ordered to determine how the breach occurred and how it could be prevented from occurring again. The DON component also directed that Identity Protection Service (IPS) to the affected individuals be provided.
There are several lessons learned and reminders that came out of this breach:
- Examine all electronic collections of PII. The collection of SSNs must be justified and satisfy one or more of the acceptable use criteria. If the collection is authorized, determine if the number and sensitivity of PII elements can be reduced or eliminated.
- Reinforce to command personnel that all emails containing PII must be properly marked and encrypted.
- Continue to conduct PII compliance spot checks.
- Ensure all personnel complete their PII training at least annually.