Caught wind of this via Dan Cedusky’s e-mail (great stuff there as always).
From Ryan Singel in Wired.
The inspector general of the National Archives and Records Administration is investigating a potential data breach affecting tens of millions of records about U.S. military veterans, Wired.com has learned. The issue involves a defective hard drive the agency sent back to its vendor for repair and recycling without first destroying the data.
The hard drive helped power eVetRecs, the system veterans use to request copies of their health records and discharge papers. When the drive failed in November of last year, the agency returned the drive to GMRI, the contractor that sold it to them, for repair. GMRI determined it couldn’t be fixed, and ultimately passed it to another firm to be recycled.
The incident was reported to NARA’s inspector general by Hank Bellomy, a NARA IT manager, who charges that the move put 70 million veterans at risk of identity theft, and that NARA’s practice of returning hard drives unsanitized was symptomatic of an irresponsible security mindset unbecoming to America’s record-keeping agency.
“This is the single largest release of personally identifiable information by the government ever,” Bellomy told Wired.com. “When the USDA did the same thing, they provided credit monitoring for all their employees. We leaked 70 million records, and no one has heard a word of it.”
But NARA says the lost drive is not a problem because its contractors signed privacy promises in their contracts, though the agency has since changed its policy to require that sensitive media be destroyed by NARA itself.
The drive was part of a RAID array of six drives containing an Oracle database that held detailed records on 76 million veterans, including millions of Social Security numbers dating to 1972, when the military began using individuals’ Social Security numbers as their service numbers.
When the unencrypted drive failed, Bellomy says he tried to subvert the longstanding recycling policy by hiding the drive in his safe. But it was taken out of his control when he was put on long-term leave. Under the conditions of the maintenance contract, if NARA did not return the drive, GMRI would have billed the agency $2,000 for a replacement.
He adds that more drives failed after the November incident, and that he performed a forensic scan on them to prove that they were full of sensitive data.
“I said you can’t turn them back in. The data is Privacy Act — it’s against the law,” Bellomy told Wired.com. “We have no clue how many drives have been sent back over the past seven years since this system was in place. I am a government employee and I’m a veteran, and just this year had both my credit cards replaced because they were compromised.”
The Pentagon requires that old drives be degaussed (de-magnified) or physicall destroyed. In a 2006 report still in effect, the National Institute of Standards and Technology recommended purging and destruction methods (.pdf), while OMB rules (.pdf) dating to the same year require that agencies follow those NIST standards and encrypt sensitive data being sent or stored remotely.
But NARA says that while it no longer will send back drives, no rules were broken, and that warning veterans would cause unnecessary fear.
“NARA does not believe that a breach of PII (personally identifiable information) occurred, and therefore does not believe that notification is necessary or appropriate at this time,” NARA told Wired.com in an e-mailed background paper (pdf). “This view could change if the [inspector general] investigation of this incident later determines that GMRI … or their subcontractors took some illegal or unethical action that may have compromised sensitive data contained on the inoperable November 2008 disk drive.”
As part of a six disk RAID 5 set-up, the drive likely contained about 18 percent of the database, and the disk also likely contained a quick look-up table that included all veterans’ names and service-record numbers, according to Bellomy.
US-CERT, the nation’s clearinghouse for data breaches and hacks, was notified in February by a NARA employee named Thomas Bennett, according to a document (.pdf) Bellomy provided to Wired.com.
“The information system contains a significant amount of Personally Identifiable Information (PII) and Sensitive PII about veterans,” wrote Thomas Bennett, a NARA employee. “As a result, we believe that is likely that the defective drive contains PII and SPII. At this time, we are trying to determine the location and status of the drive.”
The status of the NARA investigation is unclear, though the incident was alluded to in a recent report on the inspector general’s activity.
“We are aware of the incidents and are looking into it,” said Ross Weiland, the assistant inspector general for investigations at NARA . He declined further comment.
This isn’t the first time that veteran’s data has been lost or that NARA has been investigated for controversial data-handling practices.
The Veteran’s Administration lost a laptop containing personal records on more than 25 million veterans in 2005 and, earlier this year, settled a class action suit over the breach by paying out $20 million.
NARA recently lost a hard drive full of data from the Clinton White House, including 100,000 Social Security numbers, political records and event logs. The data has still not been located.
Both the House Oversight Committee for Veterans Affairs and an oversight committee for NARA were notified of the lost drive, but neither committee returned calls seeking comment.
President Obama’s pick for a new archivist, David S. Ferriero, is scheduled for a Senate confirmation hearing Thursday at 2:30.