U.S. Service Personnel Data Stolen

BStrunk writes "I was reading the news this morning on Reuters, when I stumbled across this article: U.S. Service Personnel Personal Data Stolen In the article, an official violated policy by taking the detailed personal information of thousands of active and reserve troops to his personal home, storing it on a personal computer, that was later stolen. In an age where domestic phone calls are monitored, a government employee was allowed to walk out of a government installation with the data on thousands of American citizens to store on an insecure personal computer? Doesn't that seem strange to you? This is a real failure, in my opinion, in government protection of its citizens. Layers of encryption and protected access was successfully bypassed to make the theft of this information as simple as stealing a home pc. Now, not only do service personnel currently serving have to worry about IEDs and being fired upon, but they are now subject to possible identity theft. A real failure. After this, how could one have faith enough to serve an inept institution?"

Strange question

[stupidfoo]

After this, how could one have faith enough to serve an inept institution?

Why do we need all the editorializing in the blurb? And the troops don't serve an institution.

More Than Identity Theft

[foo fighter]

There's a real fear that this includes classified disability info.

If that info gets on the web, an employer googling a potential employee's name may see that candidate has, for instance, post-traumatic stress disorder (PTSD) and decide not to hire them. It's currently illegal to discriminate like that, but there's no way anyone will ever know in this hypothetical situation.

Ever vigilant

[Rob T Firefly]

TFA: Bryan Whitman, a Pentagon spokesman, said, "We want to encourage service members to be vigilant and carefully monitor their personal information and any statements related to recent financial transactions."

Great, as if they didn't have enough to deal with. I can just picture some soldier under mortar fire in Iraq, trying to load a rifle with one hand while juggling a cellphone on hold with American Express in the other hand..

And in other news

[porkchop_d_clown]

Slashdot notices a month-old scandal.

Thieves steal personal data of 26.5M vets [belleville.com]

Theft of Data Leads to Firings [washingtonpost.com]

Do you want trusted computing?

[file-exists-p]

The only way to prevent most of that kind of leak is the infamous trusted computing. How can you prevent somebody to walk out of the building with critical files on his USB key without "secure hardware" ?

Re:Since you are reposting 3 week old news

[Billosaur]

The original event, the 26.5 million veteran records, may be old news, but now that has widened to encompass 2.2 million active members of the military, so this is hardly 3-week-old news. What it points to is a systemic problem -- why can't people keep sensitive data safe? The discussions here on Slashdot have gone on and on, with the consensus being that it seems stupid not to encrypt data, given the widespread availability of decent encryption software.

If anything, this is going to prove a blow to the idea of telecommuting and/or working from home. Not to get too far off topic, but companies may now become very leery of sensitive data making it out past their firewalls, especially when it seems their employees can't handle it properly or keep it safe.

Quis custodiet ipsos custodes?

[Medievalist]

"Who shall watch the watchers?" --Decimus Iunius Iuvenalis [wikipedia.org]

Re:Strange question

[Anonymous Coward]

I agree, rants and opinions belong in posts, informative summaries belong on the main page. I don't go to slashdot to get raved at by someone who doesn't understand the difference.

That being said, I agree this was a failure, but not of the U.S. governemnt. This was a failure by the analyist who didn't feel it manditory to follow the rules. Every good sercurity measure begins and ends with trust. The Office of Veteran Affairs was betrayed just the same as everyone else in this instance.

Re:More Than Identity Theft

[MrSquirrel]

New, from the makers of HIPPA -- Unsecured Information Fun! It's absurd to think that a "Veterans Affairs data analyst who had violated official procedures by taking the data home" caused millions of people to be at risk for ID theft or worse. It's 2006 -- he is an alleged data analyst, meaning he should know the risk of unsecured data. 1) he broke office procedure by taking the data home, 2) he left the data completely unsecured on a computer in his home. If this happened at a health-insurance-industry related company, under HIPPA the employee AND the company would both be held accountable and severely reprimanded... but because it's the government, "oh, everything's peachy, we're looking in to it" -- I haven't even heard of the employee being fired. What's worse is that there were originally "only" 50,000 people at risk from this data, now - a week later - it's been released that the number is in the millions... Go-go gadget government uh-oh.
(I've been following this story for a while, note a very timely /.)

Re:Apples and oranges

[Red Flayer]

"Besides, domestic calls are not monitored without a warrant."

Depends on what you mean by 'monitored'. Are records of domestic calls being kept and stored in a database for potential future use? You betcha. Is this monitoring? Maybe. I think so.

And the point that was being made in the editsummary is, AFAICT, that the US government is capable of monitoring domestic phone calls, and willing to brute force the issue with the telcos, but not capable of of preventing this kind of stupid human error.

Re:Overtime... free or otherwise

[drinkypoo]

This is a case of "no good deed goes unpunished."

Not keeping records of servicemen's personal data secure is a good deed?

The guy was working on a project at home "unauthorized", his laptop and usb hdd get stolen, officals grandstand, and he gets fired at age 60 (perhaps without a pension).

Fuck, I sure hope so. I hope he got fired twice somehow in a bizarre star-trek-ian causality loop. Anyone who would keep confidential data on a computer in a physically insecure location without encrypting it is a fucking moron. Fuck him in his working-at-home ear.

Perhaps you didn't notice, but the entire federal government got failing grades on their infosec security report card. Are you really okay with that? By making excuses for idiots who cannot see their way to actually protecting confidential data, you are part of the problem.

False sense of security

[mabu]

People are focusing on the transgression of the guy putting this data on his laptop and taking it out of the building. In reality, you can bet the systems he was working on were networked and he could have accessed the data from his home directly. I'm not sure if there is a simple solution to this other than constantly making sure all data is encrypted wherever it is stored.

Re:As a vet, I can say...

[drinkypoo]

Those who are serving for ideological reasons (even if "patriotism" only plays a small part in the decision) believe they're serving the country as a whole and the ideals it stands for. That's why we say "serving our country" not "serving the military."

I understand the reasoning of people going in for ideological reasons, but they're wrong. You are NOT serving your country. Anyone who believes that working for the military is serving their country is only fooling themselves. Over $400B on this bullshit war for oil. Whoop de shit. Even the reasons we sent troops there turned out to be bullshit.

Or of course, go back a little further into history... remember all those weapons that we sold to third world countries? And now we have a terrorism problem.

Make no mistake, working for the government in any capacity is working for the institution. The dirt of the country doesn't have a bank account, and doesn't write you a paycheck. The government does. Who do you think you're working for, really? (Or well, who you were working for...)

Actual this is great

[portwojc]

Actually this is the best thing that could have happened. A complete failure in a system, potential for identity theft, and involving current/past service men/women. I am one of those by the way.

Why is this the best thing? Cause when troops are involved national pride actually works and things get done. People will flip out over this and they will finally fix it. Think of the children is first followed quickly by think of the troops. Now maybe they'll put the responsibility where it belongs. Squarely on the shoulders of those companies that deal with credit. Then I'll stop getting those calls for the new service that protects my credit and it only costs $14.95 a month. Make that free and actually go after these thieves instead of what they do now.

Re:Apples and oranges

[fortunato]

This is all well and good but the fact that they have been doing this for a long time neither makes it right nor does it mean it works. It certainly didn't seem to help them find the terrorists on 9/11. If it took 30 years for this to become a public enough issue that people are up in arms then, in my opinion, it was 30 years too long. But I'm glad to see people are starting to notice all the little infringements on our rights and to realize that you don't need very many little ones to end up with big ones.

As regarding your second paragraph, everyone I've heard who have made statements like that seem to assume that the people who have access and control over all this collected information are robotic superheroes fighting for truth, justice, and the American Way, who would never ever ever ever ever mistakenly or purposefully use and/or abuse that information. Unless you haven't been keeping up on current events lately, there are all kinds of fraud, bribery, outing of secret agents, and other exciting criminal behavior going on with all of our government officials across all party lines. I'd have to say you like to live on the edge if you trust these people to do the right thing with your information.

Re:Strange question

[Herkum01]

The Office of Veteran Affairs was betrayed just the same as everyone else in this instance

I call BS, Veteran Affairs has consistently been given low grades in security. It goes back to a culture of "I don't give a damn". As long as the agency is not punished, publicly or privately, you can bet it will happen again.

Don't Question The Armed Forces Personnel Serving

[Boarder00]

First off, your last comment: "After this, how could one have faith enough to serve an inept institution?" was offensive. It's not that they have faith to serve an institution- it's they have faith and beliefs that they are protecting something of the utmost importance- YOUR FREEDOM!!! Having served in the Air Force and done my time in the deserts of the Middle East, I know first hand what those guys are going through over there. For some ignorant fool as yourself to question their faith, dissappointing to say the least. They are over there giving their blood, sweat, tears, and families to protect your freedom & you don't even have the common decency to say thank you. To get to the point of your story- yes there are protections put in place to defend information from falling into the wrong hands. But if you are an IT "Geek" you should know, the least secure of any point on a network is physical. If you can physically get access to data then that data can become vulnerable. Its not like you can let people see or copy data, but then wipe it from their minds, computers, etc. the second leave a restricted area. The government has their issues and it deals from the top down. But they need to hire more personnel in the concerned areas who know what they are doing. Too many times did I run into civilian contractors on bases who hadn't a clue how to properly setup and maintain a network. I only wish I had the opportunity to right some of the wrongs I have seen- i.e. civilian contractors collecting in upwards of $200,000 a year to work in a "Hostile" environment; and all they are doing is collecting a pay check AND NOT completing the tasks they need to. I have seen this FIRST HAND while in the Middle East. The civilian IT staffs at most bases there were incompetent; but still they were collecting the big checks. But that Senior Airman going around showing them what is wrong with their networks and fixing their problems for them- he only makes $15,000 a year- AND he is going to hostile environments to do it. You tell me where the problem lies.... it lies in the hands of people like yourself who complain about the "Institution," but do nothing to change it; except maybe vote the person in who has changed our country over the bast 6 years. THANK YOU!

Service to an inept institution.

[GodInHell]

After this, how could one have faith enough to serve an inept institution?"

This is a common misstatement made by those who think joining the armed services is about service to the army, or the navy, or the president. Joining one of the U.S.A.'s armed services is about serving your country, not the individuals in control of it. It's about protecting your homeland from invaders. It's about getting a shot at the brass ring of U.S. citizenship through sacrifice. It's about putting yourself on the line for your brother, your friend, your mother, your future, etc.

When I apply for a job in the states, I do so based on my ability to trust my employer to treat me responsibly. I would refuse a job that didn't pay well, or one where my employment would be degrading or unduly dangerous. Joining any military is a distinctly different sort of employment. It's an inherently dangerous job, one in which you can expect abuse from your employer, rigorous and painful training, and eventual combat duty.

So, in short, while this article is certainly a sign that our government is abusing our troops, one should honor those who do so despite the obvious risks inherent in service. Rather than wondering who would serve, we should wonder who would treat so poorly those who give so much. We ought (as in a moral ought) to respect and honor those who risk their lives to defend our way of life. We ought (again, moral ought) to hold in deepest revulsion those who abuse them, or send out the troops over petty personal desires and greed.

-GiH

No need for confusion.

[dwalsh]

"In an age where domestic phone calls are monitored, a government employee was allowed to walk out of a government installation with the data on thousands of American citizens to store on an insecure personal computer? Doesn't that seem strange to you."

No contradiction here, both are consistent with each other. Either way, it is because you have no privacy in the eyes of the state.

Theft like this is stupid and unnecessary

[Quila]

I've done work like this, writing software that works with various sensitive data, millions of records, maybe even one of you, and I've done it from home.

However, my set of data was real data that was obfuscated, random names, SSNs, etc., generated, replacing the ones in the database. No real data was ever allowed to be exported off the database server, period. Only an SA could steal it.

That this wasn't done is just gross negligence on the part of the organization.

I Served - and the OP is wrong in one respect

[EQ]

"how could one have faith enough to serve an inept institution?"

I didnt serve the Army - I served *IN* the Army.

What I served was the American People, through their elected Commander in Chief, and the primary focus of the Oath I and others swear is:

to Uphold and Defend the Constitution of the United States

Second error bythe OP is the "institution" that lost the data was not the military per-se but the Veterans Administration, a cabinet level office that is seperate fromthe Army, Navy, Airforce, marines and Coast Guard,m etc.

When will ./ editors have enough of the spin and editorializing - especially when its egregiously wrong as it is in this case. How about getting an editor with some military background instad of the usual suspects? A little bit if diversity might help ./ avoid posters like the originator who completely misses the point of the article and instead tries to spin it politically (point is veterans records were taken via a moron breaking security at the VA, not some anti-military screed that the OP tries to spin it into).

There Plenty of libertarian geek veterns out there who post here regularly - Rob, grab one and add some diversity to the editorial clique.

Re:Once again. . .

[Foobar of Borg]

Contractors without even crappy VA benefits and not subject to Geneva conventions. ;)

Of course! Privatizing government functions lets the government get around that annoying thing called the "Constitution" (aka "just a goddamn piece of paper").

Re:Strange question

[RingDev]

I call shenanigans on your BS. You can't pin this down on just the VA. As a former member of the military who worked in HQ MC and the Pentagon, I can assure you that given the proper motivation of any worker, this information could be leaked/stolen/sold.

In this case the fault was negligence. The laptop should have had an encrypted hard drive. The consultant should not have taken the data home. But if the consultant shouldn't have taken the data home, why was he given a laptop? There were many mistakes made in this process, and those same mistakes are made throughout the government and private sector. The VA has no special claim on incompetence.

-Rick

Re:Once again. . .

[Oculus Habent]

I doubt "The Man" specifically engineered this failure. "...was allowed to walk out?" What kind of crap statement is that? He had a laptop and an external hard drive. I didn't see any mention of "His supervisor instructed him to copy sensitive data onto a personal computer..." Should everyone leave an hour early so the door guards can perform an extensive scan on their laptop? If they run across encrypted files, shoudl they require the keys, to ensure no secure data is being taken? If they have to check those files, then don't the door guards need very high-level security clearances?

Unless you want the government to perform a full cavity search on every employee capable of interacting with anyone who has access to secure files every time they leave the building, this sort of thing can happen.

All the procedure in the world won't make up for an unthinking -- or worse, uncaring -- employee worried about meeting a deadline.

Re:Strange question

[jeepmeister]

This was a failure by the analyist who didn't feel it manditory to follow the rules.

As an IT security engineer for a very large health maintenance organization, trying to prevent our physicians, administrative people and business oriented wonks from committing gross acts of security stupidity turns out to be one of the biggest challenges. Organizations need to drive hard to make sure employees are aware that putting sensitive information in positions of vulnerability will invariably lead to compromise that is simply unacceptable. Without security as a mindset, these compromises are guaranteed to continue. I believe the analyst who compromised the data was fired, so it's obviously going to take more than just threatening the offender with termination to prevent future blunders.

It's An Old Problem.

[ackthpt]

a government employee was allowed to walk out of a government installation with the data on thousands of American citizens to store on an insecure personal computer? Doesn't that seem strange to you. This is a real failure, in my opinion, in government protection of its citizens. Layers of encryption and protected access was successfully bypassed to make the theft of this information as simple as stealing a home pc.

This happens all the time unfortunately. People's stupidity can circumvent and electronic security measures.

Here's how it happens:

• A study is made of security.
• Recommendations are put forward and implemented.
• Personnel in their mission to get work done find following secure procedures impedes their efficiency.
• Personnel devise ways to short cut, wink and a nod, as long as it's me and you know, it's OK, etc.
• Less restrictive, security is still viewed as a barrier to getting things done quicker, leads to more shortcutting and circumvention of procedures.
• Someone suddenly loses a computer hard drive, CDs a laptop, a networked computer is breached, etc.
• Everyone is shocked and amazed.
• To those who enabled the shortcuts and circumvention are curiously mum, but people know who they are and they eventually get cleaned out or taken out of the security loop.

The big problem is management, the people who make the big money to take responsibility, react more than proact. Security means vigilance, but it also means giving people the proper time to do their work within the procedures of security. In my life I've only met a few people who took day to day security seriously and made a point of not giving in when someone asked for a short cut, "just this one time."

Management as much as ever seems to attract people to the wages and not the actual responsibilities. Peter principal of some strip I suppose.

Re:Strange question

[Himring]

In response to the "rant" on the main page:

1. These were military personnel right? Referring to them as "American Citizens" is a stretch. Don't get me wrong. Hats off to our enlisted troops, but once you join the military you give up massive rights that a normal citizen has.

2. My dad served in the army, and from my understanding, it is anything but "intelligent." "Army Intelligence" was referred to as an oxymoron....

Re:Are these thefts really just random events?

[ScentCone]

First, how would someone know that this computer contained all this information?

If you're following the story, every indication is that it was a routine suburban residential burglary. I live in the same county as the home that was robbed, and this is exactly like every other B&E we always see: laptops, game consoles, digital cameras, jewelry, cash. Rinse, repeat.

If you live in the DC area as an info-worker, the odds of you handling sensitive payroll or similar data, especially related to government/military employees, is certainly higher than anywhere else in the country. But the odds of such a theft happening at all pretty much demand that crap like this is going to happen. The idiot probably would have lost his laptop in the same burglary regardless, but his inappropriate use of that data on his local drive, away from the office, turned something you otherwise would never have heard about into a real pain in the ass. Of course, the person who stole the hardware probably has no idea what's on it, or what to do with it.

Am I being paranoid?

If so, only about the wrong things. This is a workplace culture issue, not some nefarious plot. Too many people have casual access to all sorts of stuff (I know I do) without all of the interested parties really communicating about the risks and trust involved.

Re:Apples and oranges

[Red Flayer]

I have a service contract with the phone company relating to those specific calls. I do not have a service contract with the government relating to those specific calls. Due to the history of telephone monopoly in the US, neither I nor anyone else has the ability to demand confidentiality as part of our telephone service contract. The problem is that the government regulates a monopoly where it is in the direct interest of some parts of government to not regulate always in the favor of the citizen.

As to the 4th amendment (which was not metioned in the OP or my response), note that every time the Supreme Court has ruled that the 4th amendment does not apply, the government has requested access to phone records in relation to the investigation of a specific crime. Data mining (which definitely falls under the umbrella of 'monitoring') is a whole different story, because law enforcement is now looking for evidence of behavior that does not necessarily have anything to do with ANY crime. This, my friend, is specifically forbidden by laws governing the operation of domestic surveillance -- and makes the US a police state.