Data About 14,000+ Persons, Including SSNs, Credit Card Numbers, and Health Information, Accessed by Hackers on Pentagon Computers

Yesterday the AP released a story that was widely published, "Pentagon Hacker Compromises Personal Data." 

The story didn’t really give much detail, but does demonstrate the importance of firewalls, intrusion detection systems, and other types of monitoring and logging to detect unauthorized access to networks.  As well as the need to encrypt personal information…

"WASHINGTON — An intruder gained access to a Defense Department computer server and compromised confidential health care insurance information for more than 14,000 people, the department said Friday. 

William Winkenwerder Jr., the assistant defense secretary for health affairs, said the affected individuals have been advised by letter that the compromise of personal information could put them at risk for identity theft. 

"Such incidents are reprehensible, and we deeply regret the inconvenience this may cause the people we serve," he said in a brief statement."

Yes, this is an inconvenience, a huge one, for people who end up having to fight the consequences of inadequate security for their personal information.  As another story from Houston points out, the amount of effort and time it takes for people to convince law enforcement, credit companies, and the companies where the security incidents occur, that bad things are happening to them, and then to clean up their credit information, is significant.

"HOUSTON — Identity theft is the fastest growing crime in the United States and Houston is the No. 1 spot for this crime in Texas. Yet, the KPRC Local 2 Troubleshooters found there is little chance the people committing these crimes will ever see the inside of a jail cell.  Every month an average of 340,000 Houstonians report crimes involving credit and debit cards.  This man is just one of those cases.

"It’s worse than having your car stolen because it’s an intangible. It’s your identity and I had no clue how I was going to get that back," a victim said.  He asked the Troubleshooters to shield his identity because someone ran up $17,000 worth of credit card charges under his name.  "I didn’t find out until I was getting calls from creditors," the victim said.  Equally frustrating is what happened when he said he reported the crime to police.  "The tone of the conversation was pretty clear. He had taken the report and I could get a copy of the report, which would help me clear my record," the victim said.  Angry by what he felt was a lack of response, he did his own digging and was able to find out which ATM the crooks were using to take out cash.

"I offered that to police and they were like, ‘Yeah, if you want to bring that down, that’s fine. We’ll have a look at it.’ But it was pretty clear nothing was going to be done," the victim said.  "I’ve been a victim of identity theft over three times in the past year and I understand their frustration. It’s a frustrating crime, said Sgt. Mike Osina with the Houston Police Department.  Osina is with HPD’s Financial Crimes Unit.  "We are inundated with cases," he said.

That may be an understatement. In the last two years, HPD’s 15-member financial crimes unit has received more than 32,000 cases for investigation. Just getting a detective on the phone to talk about a case can be a chore.  The Troubleshooters called the financial crimes unit.  "You have reached the Houston Police Department’s Financial Crimes Unit. All representatives are currently assisting other callers. Please remain on the line," the recording said.  The Troubleshooters waited for 10 minutes, 20 minutes, 30 minutes, and 45 minutes.  After being on hold for an hour, they heard the following message.  "All representatives are still assisting other callers. Please remain on the line and your call will be answered in the order in which it was received."  No one ever answered the Troubleshooters call.

"I don’t know what to tell you what happened on that and I apologize that it did happen. We will do a better job of that," Osina said.  So, with such heavy caseloads, what about actually catching the crooks?  "Every case gets read. Every single case that comes to our office gets read — that I can promise them," Osina said.  Reading a case is one thing. Solving it is another.  HPD records show in the last year, only 2 percent of forgery and counterfeiting cases and only 12 percent of fraud cases were actually solved. "Every time we get a handle on a certain way these crooks are doing things, they evolve into something else," Osina said.

Just ask the victim interviewed by the Troubleshooters. It took years to repair his credit. But what about the person who stole his identity?  "Actually, I don’t know. It’s still a mystery to me," the victim said.  One of the biggest problems with solving these cases is many of the crooks live in other cities, states or even foreign countries.  That means local detectives have to rely on other jurisdictions for help, and that spirit of cooperation isn’t always there.  As for the problems of getting ahold of a detective, the captain of the division was so disturbed by what the Troubleshooters found he said he is making immediate changes to ensure it doesn’t happen again."

Yes, this is a big inconvenience.  I think showing these stories in juxtaposition highlights the common flaw in the thinking of the companies where incidents occur, and with the judges who say if no damage is done (in their opinion) to a victim within a mere matter of a few weeks, then the company where the incident occurred is not held accountable and that it can be assumed that bad things will not happen.  Bad things can be done with the stolen data over a matter of months or years.  It often is not noticed until something unusual happens like getting a call from creditors.  The sad fact is that most people don’t look over their credit card statements closely…and that the bills for the newly established fraudulent accounts are often sent to bogus addresses, so that the victim never is aware of the fraud occurring.

Okay…back to the Pentagon hacking story…

"The Pentagon established a toll-free telephone number (1-800-600-9332) for affected people to call if they have questions. The computer server is for people insured under the Pentagon’s TRICARE health care system. 

The type of information that was compromised was not disclosed in the Pentagon announcement, but Winkenwerder said it varied and investigators do not know the intent of the crime or if the compromised information will be misused."

Of course you can never know the intent of the intruders for how they will use the information!  They will use it in any way they can, and probably in many different ways, to get as much money out of it as possible. 

It is possible the information will be sold, resold, and propagated to a very wide audience.   And, of course you cannot know IF the information will be misused, but shouldn’t you expect that is a very significant possibility given it was taken to begin with?

"A spokesman for Winkenwerder, who asked not to be identified, said the information included names, Social Security numbers, credit card numbers and some personal health information.  Routine monitoring of one of the health care insurance system’s public servers detected unusual activity, and an investigation led to the discovery on April 5 that an intrusion had occurred and information was compromised.  As a result, additional monitoring tools were installed to improve security of existing networks and data files, Winkenwerder said."

Highlights, again, the need to encrypt personal information at rest and in motion.  If this data had been encrypted there would truly have been no impact on 14,000+ people as a result of this incident (assuming the compromise was not done by an authorized insider).

The incident occurred on April 5, but the story was not reported until April 28.  I wonder how long it took the impacted individuals to get their notice of the incident?

Technorati Tags

Leave a Reply