Become a Fan
As societies depend further upon information systems, citizens are forced to place their trust in strangers for the security of their personel information. Sometimes trust is compormised.
By Anthony M. Davis
Originally Published: June 28, 2006
When I heard about the 26.5 million records of veterans’ personal information being in jeopardy, I got angry. About a week ago I received a weak explanation letter from the VA telling me all the things that “I” can do to protect my identity and personal information. There was nothing about what the VA intended to do about it. Now, the VA reportedly says the computer was located and no information was found. Good. This doesn’t eliminate the fact that our information was improperly handled. I’m still angry.
This week’s information failure includes the records of 28,000 Navy personnel at jeopardy because of personal information posted on a website. Additionally, the Department of Agriculture is now a new victim as well with 26,000 of their people wondering what lies ahead.
Military OPSEC Failure
Recently I had the occasion to research a specific military command involved in Homeland Security issues. While researching I did a simple Google search and found 19 hits. There were PowerPoint presentations showing the entire Command structure, personnel, assets and methods of operation. Digging a little deeper and I found an Unclassified - For Official Use Only (FOUO) Execution Order message describing equipment, personnel requirements and procedures for conducting a deployment. Within the message was a list of key personnel, specific units, positions and their email addresses.
This a serious Operational Security (OPSEC) issue. I called and spoke to a LT Colonel in the Command Office. I explained my concern for OPSEC when things like this are posted on the Internet. She told me, “That’s Okay, we want people to know we’re out there.” That’s Okay??? It’s not a problem to have the names, commands, positions and email addresses of personnel on the open Internet?
A wise adversary will chosse targets with the intent of inflicting the most harm. It doesn’t take much to comprehend the fact that when our personnel’s names are posted on the Internet and it clearly shows they work in the Pentagon or Joint Chief of Staff Office, that person has a security clearance and could be a target. I stripped out each of the email addresses and sent them all an email.
“You are receiving this email because your name and email address was posted on the Internet within an Unclassified FOUO Execution (Deployment) Order. I consider this to be a serious OPSEC issue, therefore you are being notified.”
Amazingly I received many “Mail Read” return receipts with very few replies. Fortunately, I did receive some feedback from people who have the ability to do something about it and see the validity of my point.
After this find, I began to wonder what other personal information issues I could find. Within ten minutes, using simple Boolean search terms I found three Leave and Earning Statements (LES) belonging to military personnel. These earning statements are used by military and federal employees to monitor their pay and allotments. Those that I found appeared to look like a screen shot of the Defense Finance and Account System’s (DFAS) MyPay site. Earlier this year, false clone sites were set up in a phishing attempt to obtain information and passwords.
For the protection of these military personnel, I won’t disclose pertinent information. Yet, the LES their gives full names, Social Security Numbers, pay, allowances, allotments, bank account and routing numbers. According to one LES, the individual has an allotment of $850 going to his bank each month. With the other information obtained, a person could redirect those funds to another account or possibly steal his identity. Once again, information is not safe and our military personnel are left hanging.
Uhhh…It’s Someone Else’s Fault…
Security Managers are hired based upon the skills they said they had when they took the job. When they take their federal paycheck, they have a responsibility to earn it. Each time a large scale intrusion occurs; senior leadership immediately takes on the role and intelligence similar to a Scooby-Doo cartoon. The confused look, raised arms at their side and the excuse that it was somebody else’s fault and unintelligible mumbling doesn’t cut it when our folks are left hanging. If personal data remains vulnerable on networks, perhaps better encryption, placement on secure stand-alone systems or a new classification paradigm of personal information should be the way of the future.
For those that are caught stealing personal information, let’s start calculating the cost of a life. What is a life worth? a Million dollars?… more? That’s basically what’s stolen through identity theft. For the convicted, asset forfeiture equivalent to the amount stolen would be a good start; no assets? Add years.
So, when will information disclosures end? I don’t know. The information I found was relatively easy. What could an adversary do with it? Once that point is nailed home, perhaps then, serious efforts will be ahead.
To assist in the event of Identity Theft, get the Identity Theft Report Here