U.S. Service Personnel Data Stolen 343
BStrunk writes "I was reading the news this morning on Reuters, when I stumbled across this article:
U.S. Service Personnel Personal Data Stolen
In the article, an official violated policy by taking the detailed personal information of thousands of active and reserve troops to his personal home, storing it on a personal computer, that was later stolen. In an age where domestic phone calls are monitored, a government employee was allowed to walk out of a government installation with the data on thousands of American citizens to store on an insecure personal computer? Doesn't that seem strange to you? This is a real failure, in my opinion, in government protection of its citizens. Layers of encryption and protected access was successfully bypassed to make the theft of this information as simple as stealing a home pc.
Now, not only do service personnel currently serving have to worry about IEDs and being fired upon, but they are now subject to possible identity theft. A real failure. After this, how could one have faith enough to serve an inept institution?"
Strange question (Score:3, Insightful)
Why do we need all the editorializing in the blurb? And the troops don't serve an institution.
Re:Strange question (Score:5, Funny)
Why do we need all the editorializing in the blurb?
You must be new here.
Re:Strange question (Score:5, Insightful)
That being said, I agree this was a failure, but not of the U.S. governemnt. This was a failure by the analyist who didn't feel it manditory to follow the rules. Every good sercurity measure begins and ends with trust. The Office of Veteran Affairs was betrayed just the same as everyone else in this instance.
Re:Strange question (Score:4, Insightful)
The Office of Veteran Affairs was betrayed just the same as everyone else in this instance
I call BS, Veteran Affairs has consistently been given low grades in security. It goes back to a culture of "I don't give a damn". As long as the agency is not punished, publicly or privately, you can bet it will happen again.
Re:Strange question (Score:5, Insightful)
In this case the fault was negligence. The laptop should have had an encrypted hard drive. The consultant should not have taken the data home. But if the consultant shouldn't have taken the data home, why was he given a laptop? There were many mistakes made in this process, and those same mistakes are made throughout the government and private sector. The VA has no special claim on incompetence.
-Rick
Re:Strange question (Score:2, Insightful)
As an IT security engineer for a very large health maintenance organization, trying to prevent our physicians, administrative people and business oriented wonks from committing gross acts of security stupidity turns out to be one of the biggest challenges. Organizations need to drive hard to make sure employees are aware that putting sensitive information in positions of vulnerability will invariably lead to compromise t
Re:Strange question (Score:3, Insightful)
1. These were military personnel right? Referring to them as "American Citizens" is a stretch. Don't get me wrong. Hats off to our enlisted troops, but once you join the military you give up massive rights that a normal citizen has.
2. My dad served in the army, and from my understanding, it is anything but "intelligent." "Army Intelligence" was referred to as an oxymoron....
Re:Strange question (Score:2)
This is an individual who failed to maintain the level of security required of him by
Re:Strange question (Score:2)
Why yes, yes they do.
See, you might be enlisting because you want to aid your "country". This is an institution. You don't really think that they make globes by taking pictures of the earth, with convenient lines included, do you? About the only places you can see geographic borders is when one country has deforested itself and
Re:Strange question (Score:2)
Re:Strange question (Score:2)
Re:Strange question (Score:2)
And they do not serve an institution, they serve the people, first and foremost, and the government after that. (Although, I'm sure it's the other way around in practice).
Excuse me? (Score:5, Informative)
I'm in Iraq right now. Yes, we have to deal with IED's and being fired upon. And yes, having to worry about this isn't all that great either. But that has absolutely nothing to do with "serving an inept institution" as you call it. We don't serve an institution. We serve in the Armed Forces of the United States. I serve in the Army, and I don't think that the Army is inept. This isn't a failure of the US Army as a whole, but it was due to the indiscretionary act of one person. He violated OPSEC (Operational Security) and he had no business taking sensitive information into his personal computer. This is HIS fault, and I hope he gets prosecuted to the fullest possible extent under the UCMJ. So please, like the parent said, no editioralization is necessary. We serve because we took an oath. We serve because we are professionals. We serve because words like Loyalty, Honor, Duty and Courage mean something to us. It doesn't mean that it means nothing to a civilian. But I hate it when people assume we are nothing but mindless drones. I, personally, try to keep politics away from the military. Which is why I don't endorse any side of political debate, when speaking as a soldier. I'm here to do a job, and I'm here as a professional.
Sorry for going so far off-topic.
Re:Excuse me? (Score:3, Interesting)
If one person can do this kind of damage, then the problem is with the system, not just that person.
Happens all the time (Score:2, Funny)
This happens all the time unfortunately. People's stupidity can circumvent and electronic security measures. But I'd rather have my identity stolen than my legs blown off by an IED.
http://psychicfreaks.com/ [psychicfreaks.com]Re:Happens all the time (Score:2)
It's An Old Problem. (Score:3, Insightful)
This happens all the time unfortunately. People's stupidity can circumvent and electron
Conspiracy? (Score:2, Interesting)
2 things...
1.) Wouldn't stuff this sensitive be encrypted if it's sitting on an external disk drive?
2.) Is there some sort of conspiracy going on? With the terrorist arrests in California and Canada? Perhaps somebody is planning something big
Re:Conspiracy? (Score:2)
This is the same incident. They are just now figuring out whose info is involved.
No conspiracy here (Score:2)
It's like a postal service driver driving on the wrong side of the road, plowing into a family, killing everyon
Not really (Score:2)
As ever, with security, when it comes to sysadmins, you need to be able to trust the personnel, no only in terms of their integrity, but also in terms of their stupidity.
Since you are reposting 3 week old news (Score:4, Informative)
Re:Since you are reposting 3 week old news (Score:2)
Re:Since you are reposting 3 week old news (Score:3, Insightful)
The original event, the 26.5 million veteran records, may be old news, but now that has widened to encompass 2.2 million active members of the military, so this is hardly 3-week-old news. What it points to is a systemic problem -- why can't people keep sensitive data safe? The discussions here on Slashdot have gone on and on, with the consensus being that it seems stupid not to encrypt data, given the widespread availability of decent encryption software.
If anything, this is going to prove a blow to the i
More Than Identity Theft (Score:4, Insightful)
If that info gets on the web, an employer googling a potential employee's name may see that candidate has, for instance, post-traumatic stress disorder (PTSD) and decide not to hire them. It's currently illegal to discriminate like that, but there's no way anyone will ever know in this hypothetical situation.
Re:More Than Identity Theft (Score:2)
Other than the fact that it was reported that the data did NOT include medical information (I'll believe it when I see it), it can render the hypothetical situation unlikely. If they can easily access that data to hold it against you, maybe you can help paint the picture of discrimination by showing a courtroom how easy it was for them to find such information. Seize the company computers
Re:More Than Identity Theft (Score:3, Insightful)
Re:More Than Identity Theft (Score:2)
From the "Fine Tooth Comb" department (Score:4, Informative)
Ever vigilant (Score:3, Insightful)
Great, as if they didn't have enough to deal with. I can just picture some soldier under mortar fire in Iraq, trying to load a rifle with one hand while juggling a cellphone on hold with American Express in the other hand..
Re:Ever vigilant (Score:2)
I thought the war was running this way anyway? The soldiers probably buy their armament with their personal credit cards and then fill out an expense voucher at the end of the month. That would explain a lot of things.
Re:Ever vigilant (Score:2)
Re:Ever vigilant (Score:2)
Part of the same event (Score:2)
Personal information on about 2.2 million active-duty, National Guard and Reserve troops was stolen last month from a government employee's house, officials said on Tuesday in the latest revelation of a widening scandal.
The Department of Veterans Affairs said the information, including names, Social Security numbers and dates of birth, may have been stored in the same stolen electronic equipment that contained similar personal data on 26.5 million U.S. military veterans.
Same crap, different day. The
And in other news (Score:4, Insightful)
Thieves steal personal data of 26.5M vets [belleville.com]
Theft of Data Leads to Firings [washingtonpost.com]
Re:And in other news (Score:2)
Which in turn makes me believe it's not the same old, but an actual updated or new one.
Official Use Only Information (Score:5, Informative)
However, nearly every govenrment computer in existence includiung laptops has gobs of OUO information on it. It's not encrypted because it's not that sort of information. It's just controlled dissemination. That does not mean it might be harmless to release it but it's way below classified.
It is not alarming the people occasionally accdentally disseminate or lose control of OUO. Employees are simply expcted not to do so wilfully or wantonly or carelessly. Its even permissible to share OUO with people outside the governemnt if the employee thinks it would be useful to do so. The fact that OUO was taken home is not a big deal.
In this case the only big distinctions are the massive quantity of the information, and the fact that it's personell records which do have higher levels of protection. Apparently it was also policy not to take these home.
But what's it for? (Score:2)
Overtime... free or otherwise (Score:2)
Re:Overtime... free or otherwise (Score:5, Insightful)
Not keeping records of servicemen's personal data secure is a good deed?
Fuck, I sure hope so. I hope he got fired twice somehow in a bizarre star-trek-ian causality loop. Anyone who would keep confidential data on a computer in a physically insecure location without encrypting it is a fucking moron. Fuck him in his working-at-home ear.
Perhaps you didn't notice, but the entire federal government got failing grades on their infosec security report card. Are you really okay with that? By making excuses for idiots who cannot see their way to actually protecting confidential data, you are part of the problem.
Re:But what's it for? (Score:2)
Although, what we set up is a VPN tunnel + Windows Remote Desktop. That's relatively secure, because at least the files never leave our physical premises, and the VPN ensures it's all encrypted properly. Of course, it also bridges our network with all the viruses and crud on these people's home computers...
Re:But what's it for? (Score:2)
Re:Official Use Only Information (Score:3)
Apparently not.
Re:Official Use Only Information (Score:2)
Even one company I've worked for would say that if this data were to leave a company facility electronically, including via laptop, that data must be encrypted.
Re:Official Use Only Information (Score:3, Interesting)
I work for the federal government, and I often travel overseas with a government owned laptop. That laptop usually has export controlled (but unclassified) information on it.
Whenever I do this I have to fill out many forms documenting exactly what is on that laptop. When I asked why, it was "so we know what was on it if you loose it - that would technically be an export, and w
Apples and oranges (Score:3, Informative)
Besides, domestic calls are not monitored without a warrant. Do you have a problem with that? Perhaps you are thinking of international* calls to known members of terrorist organizations.
Is that a question?* According to my phone bill, a call made from my house to another country is an international call.
Re:Apples and oranges (Score:3, Insightful)
Depends on what you mean by 'monitored'. Are records of domestic calls being kept and stored in a database for potential future use? You betcha. Is this monitoring? Maybe. I think so.
And the point that was being made in the editsummary is, AFAICT, that the US government is capable of monitoring domestic phone calls, and willing to brute force the issue with the telcos, but not capable of of preventing this kind of stupid human error.
Re:Apples and oranges (Score:2, Insightful)
Re:Apples and oranges (Score:3, Insightful)
As to
Re:Apples and oranges (Score:2)
Do you want trusted computing? (Score:3, Insightful)
The only way to prevent most of that kind of leak is the infamous trusted computing. How can you prevent somebody to walk out of the building with critical files on his USB key without "secure hardware" ?
Re:Do you want trusted computing? (Score:2)
Government in-action (Score:2)
T
As a vet, I can say... (Score:5, Informative)
Everyone who has been in the service knows that there are always a few idiots up in the higher levels of the chain of command. Also that the civilian employees of the DoD aren't always interested in looking out for the interests of the military personnel that they are supposed to be serving. Dealing with the civilian DoD folks was a constant frustration during my time at Fort Bragg. Not that those folks are all bad, but the service they gave me when I was in the 82nd was second only to the service I get from the DMV -- surly and uncooperative.
Re:As a vet, I can say... (Score:3, Insightful)
I understand the reasoning of people going in for ideological reasons, but they're wrong. You are NOT serving your country. Anyone who believes that working for the military is serving their country is only fooling themselves. Over $400B on this bullshi
Interesting point of view (Score:2)
It may sound like a left-field libral statement, but working for the country isn't working for the "dirt" of the country, it's working for the people who make up the country. There are a lot of folks (at the local level in smaller cities at least) who do believe that this kind of service (serving as mayor, working for the Dept. of Building Safety) provides something useful to people. Even at the federal
Re:Interesting point of view (Score:2)
The problem is that there are citizens and there are citizens. The people who are in office are totally disconnected from the realities of everyday life - otherwise the minimum wage might have kept up with inflation. Also, if you think the government is elected by the voters, you clearly haven't been paying attention. Recounts were illegally terminated in both of the last two elections, and tens o
Don't Worry... (Score:3, Funny)
And that goes double for next time, too.
Quis custodiet ipsos custodes? (Score:3, Insightful)
"Who shall watch the watchers?" --Decimus Iunius Iuvenalis [wikipedia.org]
Allowed? (Score:2)
[Emphasis mine]
He wasn't allowed to do it, he simply wasn't caught in the act and prevented. Reading the article, I see nothing about him having sought or received permission. Just because one is able to do something does not mean that one is allowed to do it.
This could happen to you (Score:2)
What is this, a Theme Summer? (Score:4, Informative)
Ernst & Young lose data on a quarter-million Hotels.com customers [theregister.co.uk]
Ernst & Young (hey, there is a theme here!) lose information on Sun employees (including then-CEO Scott McNealy) [theregister.co.uk]. Also included were employee records for IBM, Nokia and Cisco.
Wells Fargo proves it can play the game too [theregister.co.uk].
And not to be left out, let's not forget Fidelity's loss of 200,000 HP employee records [theregister.co.uk].
What's scary is that both Fidelity and E&Y audit other companies for security and regulatory compliance (including HIPAA and Sarbanes-Oxley)...
Who was this employee? (Score:2)
How do we know it wasn't an "inside job"? We don't know if this guy is a criminal or just an idiot. I've heard that when you make something more idiot-proof, the world just makes better idiots.
I have worked for tech companies that had various security and
Re:Who was this employee? (Score:2)
IED or ID theft.. (Score:2)
I think the service personnel are MUCH more worried about being blown up or shot, than "whoops my credit rating got a bit low". So much so that I don't think it really adds to their problems.
Yeah it's a shitter but you can't compare someone using your name to apply for a credit card or a car loan, with being KILLED.
Yes, it does (Score:2)
Soldiers with close family back home should be okay, as they can just have someone else monitor their credit. Soldiers with no family and little access to the Internet should be worried. The VA should at the very least give each soldier an
Re:IED or ID theft.. (Score:2)
And yes, If I were loading crates in an airplane all day in Virginia to be shipped to Iraq, and couldn't get a loan for a car / house, because someone
Re:IED or ID theft.. (Score:2)
And I am saying, you cannot equate "being blown up by an IED" and "being shot by Iraqi dissidents" with "can't get a car loan when I get back". You can fix credit. You can't fix a hole in your head the size of a football.
No (Score:2)
This is very misleading. Considering it sounds like he took it in electronic format, there are a TON of ways he could have taken this home and I doubt people are strip searched everyday they leave the office.
It is probably against policy to take these documents home without permission. So saying he was "allowed" to do it is very misleading...he was not allowed to do it, he was just a trusted employee who has security clearan
False sense of security (Score:3, Insightful)
Actual this is great (Score:5, Insightful)
Why is this the best thing? Cause when troops are involved national pride actually works and things get done. People will flip out over this and they will finally fix it. Think of the children is first followed quickly by think of the troops. Now maybe they'll put the responsibility where it belongs. Squarely on the shoulders of those companies that deal with credit. Then I'll stop getting those calls for the new service that protects my credit and it only costs $14.95 a month. Make that free and actually go after these thieves instead of what they do now.
Service to an inept institution. (Score:3, Insightful)
This is a common misstatement made by those who think joining the armed services is about service to the army, or the navy, or the president. Joining one of the U.S.A.'s armed services is about serving your country, not the individuals in control of it. It's about protecting your homeland from invaders. It's about getting a shot at the brass ring of U.S. citizenship through sacrifice. It's about putting yourself on the line for your brother, your friend, your mother, your future, etc.
When I apply for a job in the states, I do so based on my ability to trust my employer to treat me responsibly. I would refuse a job that didn't pay well, or one where my employment would be degrading or unduly dangerous. Joining any military is a distinctly different sort of employment. It's an inherently dangerous job, one in which you can expect abuse from your employer, rigorous and painful training, and eventual combat duty.
So, in short, while this article is certainly a sign that our government is abusing our troops, one should honor those who do so despite the obvious risks inherent in service. Rather than wondering who would serve, we should wonder who would treat so poorly those who give so much. We ought (as in a moral ought) to respect and honor those who risk their lives to defend our way of life. We ought (again, moral ought) to hold in deepest revulsion those who abuse them, or send out the troops over petty personal desires and greed.
-GiH
No need for confusion. (Score:2, Insightful)
No contradiction here, both are consistent with each other. Either way, it is because you have no privacy in the eyes of the state.
Theft like this is stupid and unnecessary (Score:3, Insightful)
However, my set of data was real data that was obfuscated, random names, SSNs, etc., generated, replacing the ones in the database. No real data was ever allowed to be exported off the database server, period. Only an SA could steal it.
That this wasn't done is just gross negligence on the part of the organization.
I Served - and the OP is wrong in one respect (Score:5, Insightful)
I didnt serve the Army - I served *IN* the Army.
What I served was the American People, through their elected Commander in Chief, and the primary focus of the Oath I and others swear is:
to Uphold and Defend the Constitution of the United States
Second error bythe OP is the "institution" that lost the data was not the military per-se but the Veterans Administration, a cabinet level office that is seperate fromthe Army, Navy, Airforce, marines and Coast Guard,m etc.
When will
There Plenty of libertarian geek veterns out there who post here regularly - Rob, grab one and add some diversity to the editorial clique.
Publish the SSNs ! (Score:3, Interesting)
The news worse then the incident (Score:3, Interesting)
Re:IED? (Score:2)
Re:IED? (Score:3, Informative)
Basically a bunch of artillery shells wired to a trigger or remote. When a US convoy drives past the IED hiding spot, a watcher triggers the explosive and the huge crater is formed right where the convoy used to be.
-Rick
Re:IED? (Score:2)
s/US convoy/target/, IEDs are not and have never been restricted to Iraq, they've been used throughout the whole second half of the 20th century at least.
Re:IED? (Score:2, Informative)
Re:IED? (Score:2)
Like a big 120mm shell converted into a roadside bomb.
Or a stick of TNT dipped in superglue and then bb's
Re:IED? (Score:5, Funny)
Re:IED? (Score:2)
Re:IED? (Score:2)
Re:IED? (Score:2)
Re:IED? (Score:2)
Not a dupe! (Score:3, Interesting)
It just happened exactly the same way...
I guess Slashdot can't help if the news is repetative.
Re:Not a dupe! (Score:4, Informative)
The Active Duty info is a subset [wgal.com] of the same data stolen weeks ago.
Re:Not a dupe! (Score:2)
I wonder how such an editorial (and Michael More esq*) summery made it on to the front page.
*I identify myself as in the center and more liberal than conservative but I still think Michael More is a huge jack ass... go figure.
Re:Not a dupe! (Score:2)
I guess actually reading the article is asking too much?
"The Department of Veterans Affairs said the information, including names, Social Security numbers and dates of birth, may have been stored in the same stolen electronic equipment that contained similar personal data on 26.5 million U.S. military veterans."
This makes me suspicious it was an inside job (Score:3, Interesting)
Dude had some bad debts to some bad men. Said bad men approached him with a way he could pay them off. Just get data for ID theft on his laptop then leave it in his house and they would make it look like a burglary. Dude does so, and reports laptop stolen, but not t
Re:Once again. . . (Score:2)
Re:Once again. . . (Score:2)
Re:Once again. . . (Score:3, Insightful)
Of course! Privatizing government functions lets the government get around that annoying thing called the "Constitution" (aka "just a goddamn piece of paper").
Re:Once again. . . (Score:2, Interesting)
Re:Once again. . . (Score:3, Insightful)
Re:not thousands, MILLIONS (Score:2)
I was going to mention that too...I was just reading this story in my http://www.chicagotribune.com/news/nationworld/ch i -0606070180jun07,1,2047673.story?coll=chi-news-hed &ctrack=1&cset=true [chicagotribune.com]local newspaper, and apparently it's a full 80% of the active-duty military that had their personal info stolen.
Re:Are these thefts really just random events? (Score:2)
Not in the least. There are a lot of computers being stolen, and a lot of computer users who carry around data they shouldn't. Every so often the two coincide. We probably only get to hear about a subset of the worst cases.
Re:Are these thefts really just random events? (Score:3, Insightful)
If you're following the story, every indication is that it was a routine suburban residential burglary. I live in the same county as the home that was robbed, and this is exactly like every other B&E we always see: laptops, game consoles, digital cameras, jewelry, cash. Rinse, repeat.
If you live in the DC area as an info-worker, the odds of you handling sensitive payroll or similar data, especially related to governmen