The American Veteran's #1 Information Source
                                                   Click here to make VA Watchdog dot Org your homepage

                      VA NEWS FLASH from Larry Scott at VA Watchdog dot Org -- 10-06-2009		  


  click above for details

 
 


 Military Medical Malpractice
 Legal Network      
 

 



VA Watchdog Stuff...
cups, hats, shirts...
click on item to order
and support the site.

 




Be sure to get all four
VA Watchdog dot Org
RSS feeds --
Daily VA
News Flashes
 House CVA
Veterans' News
 Senate CVA
Veterans' News
 VA Press
Releases
 

 


Download your
free copy of the
2009 VA benefits
handbook here...
 

 

Printer-Friendly Version



----------------------------------------------------------------------------------------------

              Comment at bottom of page.

 

 

NATIONAL ARCHIVES DATA BREACH COULD IMPACT MILLIONS OF VETERANS

"This is the single largest release of personally identifiable information by the government ever. We leaked 70 million records, and no one has heard a word of it."

 

NOTE from Larry Scott, VA Watchdog dot Org ... OOPS!  Although this happened last year, we are just hearing about it now.  Seems like NARA has taken a page from the VA's playbook.

For a complete look at data breaches impacting veterans ... refer to this page ... here ...
http://www.vawatchdog.org/va%20data%20theft%20news.htm

-------------------------

Probe Targets Archives’ Handling of Data on 70 Million Vets

By Ryan Singel

http://www.wired.com/threatlevel/2009/10/probe-targ
ets-archives-handling-of-data-on-70-million-vets/

 

The inspector general of the National Archives and Records Administration is investigating a potential data breach affecting tens of millions of records about U.S. military veterans, Wired.com has learned. The issue involves a defective hard drive the agency sent back to its vendor for repair and recycling without first destroying the data.

The hard drive helped power eVetRecs, the system veterans use to request copies of their health records and discharge papers. When the drive failed in November of last year, the agency returned the drive to GMRI, the contractor that sold it to them, for repair. GMRI determined it couldn’t be fixed, and ultimately passed it to another firm to be recycled.

The incident was reported to NARA’s inspector general by Hank Bellomy, a NARA IT manager, who charges that the move put 70 million veterans at risk of identity theft, and that NARA’s practice of returning hard drives unsanitized was symptomatic of an irresponsible security mindset unbecoming to America’s record-keeping agency.

“This is the single largest release of personally identifiable information by the government ever,” Bellomy told Wired.com. “When the USDA did the same thing, they provided credit monitoring for all their employees. We leaked 70 million records, and no one has heard a word of it.”

But NARA says the lost drive is not a problem because its contractors signed privacy promises in their contracts, though the agency has since changed its policy to require that sensitive media be destroyed by NARA itself.

The drive was part of a RAID array of six drives containing an Oracle database that held detailed records on 76 million veterans, including millions of Social Security numbers dating to 1972, when the military began using individuals’ Social Security numbers as their service numbers.

When the unencrypted drive failed, Bellomy says he tried to subvert the longstanding recycling policy by hiding the drive in his safe. But it was taken out of his control when he was put on long-term leave. Under the conditions of the maintenance contract, if NARA did not return the drive, GMRI would have billed the agency $2,000 for a replacement.

He adds that more drives failed after the November incident, and that he performed a forensic scan on them to prove that they were full of sensitive data.

“I said you can’t turn them back in. The data is Privacy Act — it’s against the law,” Bellomy told Wired.com. “We have no clue how many drives have been sent back over the past seven years since this system was in place. I am a government employee and I’m a veteran, and just this year had both my credit cards replaced because they were compromised.”

The Pentagon requires that old drives be degaussed (de-magnified) or physically destroyed. In a 2006 report still in effect, the National Institute of Standards and Technology recommended purging and destruction methods (.pdf), while OMB rules (.pdf) dating to the same year require that agencies follow those NIST standards and encrypt  sensitive data being sent or stored remotely.

But NARA says that while it no longer will send back drives, no rules were broken, and that warning veterans would cause unnecessary fear.

“NARA does not believe that a breach of PII (personally identifiable information) occurred, and therefore does not believe that notification is necessary or appropriate at this time,” NARA told Wired.com in an e-mailed background paper (pdf). “This view could change if the [inspector general] investigation of this incident later determines that GMRI … or their subcontractors took some illegal or unethical action that may have compromised sensitive data contained on the inoperable November 2008 disk drive.”

As part of a six disk RAID 5 set-up, the drive likely contained about 18 percent of the database, and the disk also likely contained a quick look-up table that included all veterans’ names and service-record numbers, according to Bellomy.

US-CERT, the nation’s clearinghouse for data breaches and hacks, was notified in February by a NARA employee named Thomas Bennett, according to a document (.pdf) Bellomy provided to Wired.com.

“The information system contains a significant amount of Personally Identifiable Information (PII) and Sensitive PII about veterans,” wrote Thomas Bennett, a NARA employee. “As a result, we believe that is likely that the defective drive contains PII and SPII. At this time, we are trying to determine the location and status of the drive.”

The status of the NARA investigation is unclear, though the incident was alluded to in a recent report on the inspector general’s activity.

“We are aware of the incidents and are looking into it,” said Ross Weiland, the assistant inspector general for investigations at NARA . He declined further comment.

This isn’t the first time that veteran’s data has been lost or that NARA has been investigated for controversial data-handling practices.

The Veteran’s Administration lost a laptop containing personal records on more than 25 million veterans in 2005 and, earlier this year, settled a class action suit over the breach by paying out $20 million.

NARA recently lost a hard drive full of data from the Clinton White House, including 100,000 Social Security numbers, political records and event logs. The data has still not been located.

Both the House Oversight Committee for Veterans Affairs and an oversight committee for NARA were notified of the lost drive, but neither committee returned calls seeking comment.

President Obama’s pick for a new archivist, David S. Ferriero, is scheduled for a Senate confirmation hearing Thursday at 2:30.

-------------------------

TOPICS: veterans, veterans' benefits, VA, Department of Veterans' Affairs, NARA, data breach, hard drive

-------------------------
posted by Larry Scott
Founder and Editor
VA Watchdog dot Org
-------------------------

Post your comment on this story using Intense Debate .....

 

-------------------------

Don't forget to read all of today's VA News Flashes (click here)
 Click here to make VA Watchdog dot Org your homepage
(go back to VA Watchdog dot Org Home Page)

   

 

 


VA Watchdog Stuff...
cups, hats, shirts...
click on item to order
and support the site.

 
   
Google
 
Web www.vawatchdog.org


FAIR USE NOTICE: This site contains copyrighted material the use of which has not always been specifically authorized by the copyright owner. We are making such materials available in an effort to advance understanding of veterans' issues. We believe this constitutes a 'fair use' of any such copyrighted material as provided for in section 107 of the US Copyright Law. In accordance with Title 17 U.S.C. Section 107, the material on this site is distributed without profit to those who have expressed an interest in receiving the included information for educational purposes. For more information go to: http://www.law.cornell.edu/uscode/17/107.shtml   If you wish to use copyrighted material from this site for purposes of your own that go beyond 'fair use', you must obtain permission from the copyright owner.