(Mis)Uses of Technology

by Mike Masnick

Military Data Leak Worse Than Previously Thought...

from the much,-much,-much-worse dept

Last year, we noted that in almost every publicized case of a data leak, there was almost always a correction a few weeks later boosting the number of impacted people, often by large amounts. That's certainly true in the case of the stolen laptop and hard drive from a Veterans Affairs employee. When the story first came out, everyone was told that it only contained the data for veterans. Not so, apparently. The VA has now admitted that the stolen data includes information on 2.2 million military personnel as well, including approximately 80% of the nation's active-duty forces. Perhaps it's time to add current soldiers to the new lawsuit filed on behalf of veterans. In the meantime, these repeated stories of stolen laptops should cause some to wonder why those with such important data on laptops don't do the simplest things to protect the data.

Reader Comments (rss)

(Flattened / Threaded)

  1. identicon
    DittoBox, Jun 7th, 2006 @ 12:10am

    I don't get it

    How do idiots like this get into positions where critical data on *millions* of people gets on backup tapes or other uncrypted?

    People like this should be literally thrown in a federal jail for a few years. That'll keep other idiots from taking this kind of stuff home with them

    I know this is a royal pain in the arse and I also know it's very costly and difficult to implement but I feel that data should be seperated. There should be about a half a dozen sites around the country with database servers. Each server contains a certain number of people's records. The catch is that these records are both encrypted and that an entire record or file of any given person is fragmented enough that no one single record exists on a single site. Further more no user should ever have access to more than a certain number of records at a time. To go even further not even backup operators get access to the entire system, only a single database on a single server.

    Backups are made locally and sent offsite, but no backups are ever in the same location, and they should be kept in maximum securty vaults.

    This probably isn't even possible, let alone viable. But that's not the point: The point is how do we keep stupid idiots --or worse: criminals-- like this from walking off federal databases with quite literally *millions* of people's personal information?

    Oh, wait, our president already wants to do this.

    reply to this | link to this | view in thread ]

  2. identicon
    Anonymous Coward, Jun 7th, 2006 @ 2:27am


    I guess I'd better check to see if my info was amoung the stolen.. >=(

    How irresponsible.

    reply to this | link to this | view in thread ]

  3. identicon
    DarkShadow, Jun 7th, 2006 @ 4:17am

    another security suggestion

    Why not just put drive lock passwords and on-the-fly encryption on all disks. If the laptop is stolen the theif would have one heck of a time trying to get passed decent encryption and an even harder time with the drive lock password ;)

    reply to this | link to this | view in thread ]

  4. identicon
    Scott, Jun 7th, 2006 @ 5:22am

    Re: I don't get it

    This was a person who was not even supposed to have this data outside of work, so it is very likely that they could aggregate it. So all of your plans are for naught as the failure is yet again, a person who has access to the data, malicously or stupidly doing something they should not have.

    reply to this | link to this | view in thread ]

  5. identicon
    Three Men In A Boat, Jun 7th, 2006 @ 6:20am

    Short-sighted... and dedicated?

    I can't help but notice that you all are complaining about the stupidity of a government worker who took work home. Yes, it was completely short-sighted to not have protection for the data... but the stereotypical government worker would never take work home. It's kind of sad that this ended so badly for the worker.

    reply to this | link to this | view in thread ]

  6. identicon
    Anonymous Coward, Jun 7th, 2006 @ 6:52am

    Can't sue

    Perhaps it's time to add current soldiers to the new lawsuit filed on behalf of veterans.

    Unless things have changed recently, an active duty serviceman can not file suit against the government without the government's permission. Maybe that's just the DOD...

    reply to this | link to this | view in thread ]

  7. identicon
    Anonymous Coward, Jun 7th, 2006 @ 7:33am

    Re: Short-sighted... and dedicated?

    When I was in the service I didn't meet many people willing to take work home. Call my ignorant, but exactly why does anyone need to take a 10,000,000 (current and released service people) name database home? For that matter, why was this person using a laptop in the first place? From the few details I have read, it sounds like this was a normal worker bee who probably did not have a need to travel. So I would assume, the majority of his work was done on the office computer and then he copied the data onto his laptop maybe? Lots of questions have not been answered, and as a vet I want some.

    reply to this | link to this | view in thread ]

  8. identicon
    Anonymous Coward, Jun 7th, 2006 @ 7:54am

    on a different note

    What if the employee took the data for a reason...to SELL IT!

    reply to this | link to this | view in thread ]

  9. identicon
    ebrke, Jun 7th, 2006 @ 8:20am

    Re: Re: Short-sighted... and dedicated?

    Struck me that way too. They say this analyst was working on a project; to me that means probably testing, and for testing purposes, why wouldn't you be using a small subset of this data? We seem to be talking about close to 30,000,000 records here.

    reply to this | link to this | view in thread ]

  10. identicon
    ShermDawggy, Jun 7th, 2006 @ 9:58am

    Data Leak

    Nine chances out of ten, the theif was probably a "CrackHead" who doesn't know what he has. More than likely, the laptop went for less than $100.00 and maybe on the desk of some joker not willing to pay top dollar for a new machine. Maybe the increase in the initial reward will get the laptop back where it belongs

    reply to this | link to this | view in thread ]

  11. identicon
    Just Another Joe, Jun 7th, 2006 @ 10:03am


    The 10,000,000 was an arbitrary number I pulled out of the air, who really knows how many vets, both past and present are in this data base; it could be 10, 20, 30 or many millions more.

    When I was in the service, they kept everything about in in the DEFAS database. They could pull up most of your data from date of birth, social, residential history, service locations, you name it. With all that data, I wonder how large this database really was. If the analyst was taking home the project on a CD then 800 mb seems a bit small for all that data. Of course if he was stealing data slowly, that could make a bit more sense, only time will tell.
    I love the comment from Chron.com:

    Defense officials said the loss is unprecedented and raises concerns about the safety of U.S. military forces. But they cautioned that law enforcement agencies have not found evidence that the stolen information has been used to commit identity theft.

    Of course no one has used this data yet most half smart criminals would sit on this data for months if not years before using it.
    And look the lawyers jumped on it:

    A coalition of veterans groups filed a class-action lawsuit against the federal government on Tuesday, contending that privacy rights were violated and seeking $1,000 in damages for each affected veteran.

    $1,000 might barely cover the legal fees most people end up paying in the event of identity theft. I wish they would get a clue and really stick it to them but by doing this so early, any vet who accepts the $1,000 indemnifies the government later.

    reply to this | link to this | view in thread ]

  12. identicon
    Joe Smith, Jun 7th, 2006 @ 11:25am

    Re: Re: Short-sighted... and dedicated?

    Even if it was not forseeable that a government employee would take work home ( :-) ) it was certainly forseeable that he would take the laptop out of the office - that is the whole point of a laptop.

    I agree with the poster who said that there should be hardware encryption built in to laptops.

    reply to this | link to this | view in thread ]

  13. identicon
    Anonymous Coward, Jun 8th, 2006 @ 5:51am

    Either these files only contain very limited information or I find it hard to believe all this data could have been moved to a single laptop so easily.

    reply to this | link to this | view in thread ]

  14. identicon
    navyvet, Jun 12th, 2006 @ 5:58pm

    Innocent worker????

    Like one person said the stereotype........wouldn't take it home.
    I don't see this as a coincidence, innocent happening, poor
    old worker. Why did they take it home? Why was it suddenly
    stolen? I would thinik this worker doesn't need to be on leave;
    but either behind bars or out on bail under house arrest.
    This is highly likely not to be an innocent worker and a random
    bunch of thieves. I got a letter, too, and my service is before 1975! They are hiding the total numbers!

    reply to this | link to this | view in thread ]

Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Use markdown for basic formatting. HTML is no longer supported.
  Save me a cookie
Follow Techdirt
Insider Shop - Show Your Support!

Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Report this ad  |  Hide Techdirt ads
Recent Stories
Report this ad  |  Hide Techdirt ads


Email This

This feature is only available to registered users. Register or sign in to use it.