Are You Concerned About Loss of Personal Data

Are You Concerned About Loss of Personal Data?
     By Carlisle Barnes, Newsletter Editor, Bowling Green Area       Microcomputer User Group, KY
     Newcarlislebarnes@insightbb.com
     http://www.bgamug.org/

The advanced state of Information Technology is one of the great blessings of modern times. Today it is built into our economy, and it would be hard for both individuals and corporate America to do without it. However, along with the blessings to us have come curses. These curses are going to get considerably worse unless some dramatic changes are made in the way stored information is handled by the majority of organizations.

Computer spam, pfisheng/phishing schemes and other e-mail con games, as well as a multitude of ever changing computer viruses are obvious curses to everyone using a computer on-line. Great effort is being expended to get these curses under control. Very good and still improving anti-virus programs are available. Bill Gates said recently that spam will be completely under control within two years. (It will be interesting to see if Bill is right about that.) The point is that something positive is being done to correct those Internet curses.

However, one of the worst of current IT curses is identity theft, and very few positive things are being done to stop it. Identity theft is not associated with the Internet as are many other IT curses, but it has become very much associated with computers because of the casual way in which CD’s, laptop computers, and portable hard drives are often handled. People who would never ever consider leaving a collection of gold coins laying in the back seat of a car, or leaving a thousand dollar bill on a table while going to get another cup of coffee, seem to have developed very little concern about leaving a portable computer, a container of CD’s, or even a portable hard drive in all sorts of places where they can be easily stolen. (Home?)

Unlike sensitive data handled by military or military contractor organizations, the personal data stored in files of civilian Government organizations, major universities, insurance companies, credit card companies, and etc. are often treated as casually as advertising material. A recent extreme example is shocking and deserves examination.
Not long ago, a Veteran’s Administration senior analyst took home electronic data from the office to do after-hours work on his personal computer. He had done this numerous times before. The data included names, Social Security numbers, and dates of birth on 26.5 million veterans. These data list essentially all military personal who have served following the Second World War. The analyst’s laptop and a Government owned external hard drive (along with all the data under discussion on it of course,) were stolen in a May 3 burglary of his home. He reported the theft within an hour of discovering it. VA Secretary of Veterans Affairs Jim Nicholson made a public announcement of the theft on May 22.

Jim Nicholson appeared before the House Committee on Veterans Affairs to explain the situation. While accepting a certain amount of personal responsibility for the data breach, Nicholson expressed anger toward the analyst who took the data home “without permission.” Further, he said "As a veteran myself, I have to tell you I'm outraged. Frankly, I'm mad as hell." Afterward, he fired the analyst involved. For what appear to be justifiable reasons, the analyst is now suing to be reinstated.

What Nicholson did not report, and later insisted that he did not know, was that the analyst had been taking data home as part of his regular work routine since 2003. (Is the VA a good place to work?) Furthermore, existing documents dated September 5, 2002 show that the analyst -- lead programmer within the Policy Analysis Service -- was officially permitted to take the external hard drive home for "work-related projects." Specifically, he had a property pass allowing the laptop and accessories to be removed from the building and also a permit allowing him to access any Social Security numbers on the hard drive. It later turned out that there was yet a third document allowing him to remove various materials from the VA building.

A certain amount of security could have been provided for these “take home” documents, by encrypting them. However, a reasonable up-front cost for the systems, services, processes, and procedures to encrypt 100,000 or more customer records is estimated to be about $500,000. VA working personnel probably couldn’t justify that sort of expense to their budget group.

Once files have been stolen, it is difficult to determine if the data have been used illegally. The computer and VA hard disk have now been returned, apparently without data loss, but if it is eventually considered necessary to contact all affected veterans and to provide them with credit-checking services, then there will be an estimated taxpayer cost of at least $100 million.

The fiasco was not quite finished when Nicholson appeared at the congressional hearing. It was revealed at that hearing that Pedeo Cadenas, the VA's chief information security officer, had resigned by e-mail 30 minutes before the proceedings began. Nicholson said he was completely unaware of Cadenas’ intentions. Evidently, Nicholson has learned many things rather late.

On June 28th, not quite two months after they were stolen, the computer and external hard drive were turned in to the FBI Office in Baltimore, Maryland. A tipster, in response to the $50,000 reward being offered, had let a US Park official know that the equipment might be recovered. Quickly then, the stolen items were turned in to the FBI. The tipster was not identified, nor was it clear if either he or anyone else would receive the $50,000 reward. Furthermore, no one has been arrested for stealing the equipment, unless that particular information is being held secret for some reason.

Inspection of the hard drive by the FBI does not indicate access to the data during the time that the drive was in the possession of the thief. Superficially then, no data were compromised and there is perhaps nothing to worry about.

Unfortunately, if the thief was a computer expert, knew what he had, and wanted to make illicit use of the data, then he could have transferred everything on the external hard drive to another hard drive without leaving a record. While that is possible, it seems improbable and it seems unlikely that there is reason for continued concern. However, can we be absolutely sure?

Those of us who served in the military, or worked for military contractors are quite well aware of the way in which sensitive intellectual material is handled by these organizations. While current practices are unknown to the author, not very many years ago, there were at least five security levels. Restricted meant that the information was not to be given to unauthorized people, was certainly not to be made available to newspapers or to other media, and was not to be left anywhere where it might be stolen. The only people allowed to see the material were those with a need to know about it. Confidential material classification, one step up from Restricted meant that the material was not to be made available to anyone not having appropriate clearance i.e., clearance by appropriate investigators. Except when being used in a cleared area by cleared personal, the material was to be locked in a desk or file cabinet with a safety bar and a combination lock. All desks and cabinets were to be regularly checked by guards. Secret material was to be handled in somewhat the same way, but clearance was more difficult to obtain, storage was in a secure safe, not in cabinets or desks, and material was to be guarded twenty four hours a day, and seven days a week. Top secret material was of course even more closely guarded, and investigations for personal clearance were carried out by FBI personnel; in general all security was substantially tightened. . Then there was “Special Clearance” which need not be discussed here, but which was very tight indeed.

It is absolutely shocking to note that as serious as identity theft can be, hardly anyone handling social security numbers, driver’s license numbers, medical history facts, educational information, and etc., etc. is required to treat personal information in their possession with a level as high as military Restricted. As this article was being written, yet another security breach occurred at Ohio University, Athens, Ohio. There were several resignations from the school staff as a result, but it is one more case of “locking the barn door after the horse is gone.”

If current sloppy handling of private data continues, then it is only a matter of time until identity theft becomes a disaster.

This article by your newsletter editor is as close as you will get to a BGA-Bytes editorial. However, your editor considers the matter to be a lot more serious than it is being treated by many people and particularly by most public officials.

If you would like to encourage your congressmen or other public officials to put some teeth into privacy laws and into laws concerning the handling of private information, then may I encourage you to write and let them know how you feel.

To help you get started in sending letters, here are three addresses of interest. There are numerous others on the Internet.

U. S. Senator Mitch McConnell, 361A Russell Senate Office Building, Washington D. C . 20510
U. S. Senator Jim Bunning, 316 Hart Senate Office Building, Washington D. C. 20510 U. S. Representative Ron Lewis, 2418 Rayburn House Office Building, Washington D. C. 20515

There is no restriction against any non-profit group using this article as long as it is kept in context with proper credit given the author. The Editorial Committee of the Association of Personal Computer User Groups (APCUG), an international organization of which this group is a member, brings this article to you.