Email this Article Email   

CHIPS Articles: Hold Your Breaches, October-December 2009

Hold Your Breaches, October-December 2009
By Steve Muck - October-December 2009
The following is a recently reported compromise of personally identifiable information (PII) involving the theft of storage media containing personal information. Incidents such as this will be reported in each CHIPS magazine to increase PII awareness. Names have been changed or removed, but details are factual and based on reports sent to the Department of the Navy Chief Information Officer Privacy Office.

The Incident

On July 27, 2009, the DON CIO Privacy Office received a breach report that initially was thought to be one of the DON's largest and most egregious to date. While only sketchy details were received in the first report, the DON CIO alerted the Under Secretary of the Navy, Navy Chief of Information (Public Affairs), Naval Criminal Investigative Service (NCIS) Headquarters and the Defense Privacy Office, then waited for updates to come in. Here is a summary of what was first reported:

"A headquarters complex was burglarized over the weekend. Numerous items, including storage media, were stolen from our workspaces. Police and local NCIS have been contacted. At least 10 laptops and 9 external hard drives were stolen. One laptop contained a file with approximately 60 system passwords/usernames/secret words along with the link to the related sites; a file that contained personal financial data including bank accounts, investment accounts, credit cards, salaries for myself and my wife, expenses, gifts and overall balance sheet.

The file also contained links to the various financial institutions, as well as passwords/usernames/secret words and phone numbers; my entire contact list which included work and personal cell phone numbers, addresses, and personal notes, such as birthdates for friends and family; a file that recorded my lifetime government pay, bonuses, awards, promotions and salary; 'government only' contract sensitive information; discrimination and hostile work environment correspondence and a host of other privacy or sensitive information."

This incident was most disturbing because it involved theft and appeared to target storage media that held large amounts of data that were easily transportable.

Follow-up reports provided a much better outlook with regard to potential damage to the DON and to affected personnel.

In the final analysis, only one laptop contained PII that was considered "high risk," affecting eight individuals. Most of the stolen storage media were either brand new (still in the box) or encrypted with the GuardianEdge encryption solution. An investigation is ongoing to identify the perpetrators.

Lessons Learned

Insider threats continue to cause the most concern with regard to PII data and the high potential for identity theft.

• Physical security plans must be continually scrutinized and updated.
• As a best practice, never store your PII on a government computer.
• Personnel should never store unencrypted passwords/usernames/secret words and links to URLs on a government computer.
• External hard drives are becoming as vulnerable as thumb drives; a best practice should be to physically secure them at the end of each workday.
• Regardless of who owns the equipment, inventory controls must be in place and tightly enforced.
• Full disc encryption works.

The theft of storage media containing PII with data at rest encryption should be reported to the U.S. Computer Emergency Readiness Team (US-CERT) within one hour even though it is generally not considered a high risk event.

Additional Privacy information can be found on the DON CIO Web site, www.doncio.navy.mil.

Steve Muck is the DON CIO privacy team lead.

US-CERT
www.us-cert.gov

DoD Privacy Office
www.defenselink.mil/privacy

DON CIO Privacy Office
www.doncio.navy.mil

Related CHIPS Articles
Related DON CIO News
Related DON CIO Policy

CHIPS is an official U.S. Navy website sponsored by the Department of the Navy (DON) Chief Information Officer, the Department of Defense Enterprise Software Initiative (ESI) and the DON's ESI Software Product Manager Team at Space and Naval Warfare Systems Center Pacific.

Online ISSN 2154-1779; Print ISSN 1047-9988
Hyperlink Disclaimer