Sunday, December 11, 2011

Ubiquitous Data Breaches - #NASA and #Tricare #SAIC

Update 05/28/2014 - TrueCrypt is now defunct

Update 01/3/2012: I now recommend the free, open source AESCrypt in lieu of AxCrypt as a simple, easy to use cross-platform encryption tool. Find out more here.

Whether it's your 17 year old daughter or 83 year old mother, their identity being stolen has been made a whole lot easier by two organizations we have to trust--NASA and TRICARE. Two "data breaches" for personal information have me very concerned. As father and son, I'm cast in the role of tracking the usage of multiple identity theft monitoring technologies. Whether it's the Teacher Retirement System, the Texas Comptroller, a school district, NASA, or SAIC, we're finding ourselves having to better manage participation in identity theft programs.
Concerned parents may well advise their college kids to stay out of dark corners, lock their doors at night, and travel in groups. While these measures might help prevent college students from getting robbed in conventional ways, they cannot protect them from one of the worst kinds of theft imaginable: having their identities stolen and used to defraud others.
Source: The College Students' Guide to Identity Theft 
Here are two recent data breaches, one in November and another in December 2011, that I'm having to deal with. EMBRACE ENCRYPTION. If you need a tutorial, let me know and I'll be happy to do an Encryption for Educators session for your employees.

Image Source: Romanian Hacker Arrested NASA Breach, Security News Daily
Do a google search on NASA Data Breach, and you'll get a few answers, but no mention of this one (per my search) that arrived in my mailbox recently:
This letter is to inform you about the unintentional loss of personally identifiable information that was submitted by you and your child as part of registration with NASA's Texas High School Aerospace Scholars and Women in STEM High School Aerospace Scholars (WISH) projects. 
An electronic copy of your information was stored on a flash drive by an employee of a NASA Johnson Space Center (JSC) grantee. On August 12, 2011, the flash drive was identified as missing after an aerospace scholar's event at the NASA JSC Gilruth Facility. The personally identifiable information on the flash drive included only names, mailing addresses, e-mail addresses and students' dates of birth. No other personally identifaible information was on the flash drive. No information is available about the current whereabouts of the flash drive but to date there is no evidence to suggest there has been any attempt to misuse you or your child's personal information. 
Because the flash drive included your child's date of birth, as a precaution for you and your child, JSC has contracted with Identity Force to provide you (the adult/guardian) with three bureau credit report monitoring services and your minor/child with identity monitoring services for one year. These services will be provided to you free of charge to help protect you and your child's identity.
No where in the text is there an apology that my daughter's information has been shared with the world at large. No where is there mention of disciplinary action taken against the employee who left UNENCRYPTED data on a flash drive. If employees of the NASA JSC Gilruth Facility embraced encryption protocols, they wouldn't even had to report this to us because the data would have been inaccessible. 

And, if confidential data is on flash drives, just because you delete the files doesn't mean they are gone...I hope they are wiping these flash drives appropriately.

These past two years have been rife with data breaches--which involves employees of organizations foolishly making UNENCRYPTED confidential, also known as personally identifiable information, data available to the world. Let's do a quick review of recent data confidentiality goofs:

Source: SAIC web site...their solution may be proven but at least one employee was not.

Update: This affected 4.9 million people!!!

And, let's not forget this one from TRICARE via the Science Applications International Corporation (SAIC) that my 83-year old mother received:
This letter is to notify you of the loss of your personally identifiable and protected health information, and Science Applications International Corporations's (SAIC) offer to you of free credit monitoring and restoration services for the period of one year. 
SAIC is a government contractor supporting the TRICARE Management Activity (TMA). On September 14, 2011, a SAIC employee reported that computer backup tapes containing your information were stolen from his vehicle in San Antonio, Texas. Backing up your information to these tapes and transporting them for storage in a remote location is a routine procedure to save important data and is a specific contract requirement for SAIC. Upon discovery of the theft, we promptly notified law enforcement and designated government agencies. 
The information contained on the tapes may include names, Social Security Numbers, addresses, dates of birth, phone numbers, appointment information, diagnoses, treatment information, laboratory tests, radiology results, prescriptions, provider names, provider location and other patient data, but does not include any financial data, such as credit card or bank account information. 
The chance that your information could be obtained from these tapes is low since accessing, viewing and using the data requires specific hardware and software. We engaged law enforcement to attempt to recover the stolen backup tapes. 
At this time, we have no evidence to indicate the data on the backup tapes has been accessed, viewed or used by others in any way. However, we know how concerned you may be and to assist you, SAIC is providing you with a free, one-year membership in Kroll Inc's ID TheftSmart service.
As you might suppose, keeping track of all the protection services my mother, my daughter, my wife and I are enrolled in due to data breaches by is getting longer and longer. What's up with that? How hard is it to automate tape backups so that they are encrypted (link shows you how)?

This blog entry was mentioned at the Military Medical Digest -  http://www.tricare/mil/eenews
Also, in the highlighted section of SAIC's letter, you'll notice that their disaster recovery approach involves physically transporting tapes. Those tapes should NOT be moved unless encrypted. Better yet, why not take advantage of Secure FTP to transfer files from one server to another?

We have little recourse except to rely on these organizations (e.g. NASA, SAIC, TRICARE) for the services they provide. I can only pray that they will be more diligent in the future in protecting precious information for my entire family.

For now, I'm keeping track of all the information in a GPG encrypted KeepassX file inside of a Truecrypt volume. Sigh. It doesn't matter, right? My information--and my family's--is already out there through no fault of my own.

Get Blog Updates via Email!
Enter your email address:
Delivered by FeedBurner

Everything posted on Miguel Guhlin's blogs/wikis are his personal opinion and do not necessarily represent the views of his employer(s) or its clients. Read Full Disclosure

1 comment:

james said...

perhaps! little shocking.. but not uncommon isn't it?

Genuine Leadership #4: Gratitude