Slashdot Mirror
TSA Loses Hard Drive With Personnel Info
WrongSizeGlass writes "A portable hard drive containing personnel data for former and current employees, went missing from a controlled area at the TSA.
From the article: 'The Transportation Security Administration has lost a computer hard drive containing Social Security numbers, bank data and payroll information for about 100,000 employees.'"
There is no problems if the disc was encrypted ...
The important stuff was encrypted... Wasn't it?
... have a digital identification, and most everyone does, you have to be alert to possible wrongful use of it by others.
Considering all the past digital leaks, I got wonder who hasn't had information on them digitally leaked?
Maybe using Social Security numbers for just about everything isn't such a good idea.
From the BBC article:
Salary details, addresses, dates of birth, national insurance and phone numbers were on the machine which was stolen from a printing firm.
It is now too easy for huge quantities of private data to be carried around on laptops and memory sticks, often by people who do not understand the consequnces of failing to protect that data. Companies need to be held to account when data is lost.
Any sufficiently advanced bug is indistinguishable from a feature.
TSA? The stupid Article? The Shitty Article? Topless Sluts in Abilene? bah I give up. time for my oxycodone enywho.
Even if you have decent physical security, some items will attract thieves. Anything shiny and portable is likely to walk out the door. A portable disk drive is a good example of a thief magnet.
Mea navis aericumbens anguillis abundat
Somebody really ought to introduce truecrypt to the "security" people...
Using Social Security Numbers for everything isn't such a bad idea. It is a convenient way to identify someone, since it is guaranteed to be unique. The problem comes when the SSN is the only piece of information you need to take control over someone's life. There should be some more basic checks put in place to ensure the person is who they claim to be. An example could be mailing the person at their last known address and asking them to send a letter back with an authorised signature on a document that explains what is about to happen. When these basic checks are missing, it is no wonder it is so easy to steal another person's identity.
I'll probably be modded down for this...
Now they'll experience how it feels to be on the receiving end of violation of privacy!
There's your problem. I can see the allure of using a portable drive, in that you can easily move the data around from computer to computer, but really, we have a better way to move the data: The bloody network! That HDD should have been screwed into a locked case mounted in a rack bolted to the floor of a securely locked room.
Support the mob or mysteriously disappear.
Why does it take a data breach happening to some organization to get them to decide to protect information?
Maybe a law should be made that any organization that is trusted with public data be forced to imbed all of their CEO's, CFO's, other officers, management, and shareholder's data in the same databases.
I know that the reason all this data keeps getting exposed is because management would rather save money instead of training their IT staff (if they need it) or just giving them the time to implement good, safe, data handling practices. Put their data on the line too and let's see how they decide about safe data handling practices.
I'm still waiting for the day when full drive encryption becomes standard. You power the machine on, input a password (or insert a USB key and input a password) and the machine then continues normally. While this might not stop completely determined information thieves, it should put an end to drives full of personal info showing up on ebay. What would be even better is if it became required practice for anyone working with sensitive data like that.
NewslilySocial News. No lolcats allowed.
He's very sneaky.
In one of his Modesty Blaise novels, Miss Blaise remarks to the head of a British security agency that:
"Security agencies are always too busy watching everyone else to watch themselves. How long has it been since you changed your locks or checked on your guards?"
Now we have portable thief magnets? Nobody would believe it ten years ago.
echo 'cat sig | sh' > sig
No one talks about TSA. I'm sure even mentioning that this has happened is a violation of some stupid Federal law and the terrorists have already won.
This is why I try not to use my Social Security number for identification purposes anymore. I really should try to figure out who has it & what I can do to reduce the use of it.
Wayne Madsen is maintaining a chart of data thefts of personal information. He lists 3 or 4 dozens thefts. He believes these thefts are an attempt to populate the Total Information Awareness databases.
Never ascribe to incompetence what can be explained by malice, I guess.
Computers are useless. They can only give you answers.
-- Pablo Picasso
...Get over it.
Information wants to be free! If everything was public data we wouldn't have these problems; also, we can get rid of all criminal activities if we abolish every law!
Seriously, with the shear amount of data that is accumulated everywhere, and how densely we can store it, well this is going to happen more and more.
I don't think you need unbreakable encryption for financial data, but for state secrets, a removable-drive one-time pad that is chained to the operator will do the trick.
For anything less than a state secret, you want something that only the most well-funded adversary can break in a reasonable length of time. You get to define "reasonable."
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
SS#s are supposed to be unique. They aren't recycled.
Every now and then you find out about a SS# that is not unique. The SS office issues new number to one or both individuals and mea culpas all around. See this news story for one example.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
...in TSA!
..is some TLA government organization to take care of TSA's security, so they won't have to deal with that subject, and can dedicate themselves to harassing people.
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
I've been in gov't IT for 15 years, this should never have left the server farm. If it had to be on a portable device, it should have been a laptop and heavily encrypted, not that I can see a good reason to give anyone that info. The retirement planning people can make do with very little info.
When you sympathize with stupidity, you start thinking like an idiot.
is that they had around 100,000 employees to lose data on. That's a lot of shoe checkers!
.. how government organisations continue to to store HUGE amounts of CRITICAL and VERY PRIVATE data on LAPTOPS. Either they have idiot software developers, or they genuinely do not care about security at all.
It's sad when the developers are the biggest security hole in critical government software.
Where I work, employee laptops are required to make use of File Vault on the Mac, and I believe that the entire HD is encrypted if you chose a windows laptop instead. I'm not sure of the Linux option, but I believe that there is one.
In light of that, why isn't that kind of policy used everywhere? Doesn't it just make good sense?
The TSA shouldn't even be able to claim that this was a legacy laptop, as frankly their agency hasn't been around that long. I don't get it.
--
$tar -xvf
Given that the firm, Blackwater USA, is responsible for performing the security background checks on TSA employees (I believe there was a news article several months back where four recently hired employees in the Seattle-Tacoma area were convicted - and jailed - for pilfering luggage - another fine Blackwater USA mission accomplished!), any compromised data is pretty much a moot point......
What, no backup?
This happens every day.
. htm.
Check out http://www.privacyrights.org/ar/ChronDataBreaches
I'm waiting for the news story that says the Department of Homeland Security just lost a hard drive with the personal information of every Federal agent in the government and all the White House security information on it.
These people are morons. Their sole purpose in life is to screw up while pushing other people around with self-righteous notions that THEY are the ones "protecting" everybody else.
It's the "cop mentality" writ large - which is the same basic mentality as a Mafia protection racket.
Richard Steven Hack - This sig is TOO GODDAMN SHORT TO DO ANYTHING USEFUL WITH! MORONS!
*Dons the cloak of Anonymous Coward*
It's only news because it's the TSA. Most of these... events... don't ever make it into the press.
Drat, where DID I leave the damn thing?
-- Cheers!
Apparently the screeners were distracted when someone tried to enter the area with a photo of a shampoo bottle and so they didn't notice the theft. According to the DHS, the photo was probably inserted into the shampoo ad by an al-Queda operative.
You mean this guy? He may be on to something, or it could just be another of his loony theories.
I'm sure people at the Fed level have been reading /. for as long as it's been up. I've been on since we first got the web in the early 90's. I've only been at the state and city level, never the fed level.
/. (or at least he didn't at that time) and he went and yanked the outside connection to our firewall. It did hit us, but very lightly compared to the rest of the city and for some reason the payload did effectively no damage.
As a network and database admin, I've found it to be pretty darn important. I first read about I Love You at 7am at work when it sprang, told our security admin who doesn't read
Slashdot is important, regardless of for whom you work.
When you sympathize with stupidity, you start thinking like an idiot.
If it were the TSA, they can just go back in time and find out what happened to it. No biggie.
So, Welcome to the TSA. We take great pride in providing security to the ENTIRE USA's airport infrastructure. Now, in order to complete your indoctrination, you must go visit our benefits site...www.goatse.ch. Get the idea? If not, Bertha is waiting in the back room to show you on a more physical plane how you will feel after you work here for about 6 months. Thanks, and enjoy your new job!
"My immediate reaction is "WTF? What kind of moron doesn't make things 64-bit safe to begin with?" Linus
I am asking again. Why aren't there strict guidelines/laws about how personal data is kept. I know that medical people have a HIPPA (spelling may be wrong) guideline that is so strong that people are signing all the time that the have received information about how much medical practitioners care about personal data security.
How about something HIPPA-like that covers personal/financial information.
The information should be protected with something like 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0 (or better)
What can I say, both to the original story and to this particular comment?
Hmmm... Hahaahahahahahahahahha!
MOD parent up, Score: 5, FUNNY!
Oh, wait, you were serious?
Sorry.
~Hal
Here's an idea I've been kicking around for a little while...
/. Community LAUGH at THEM. It's called "security through obscurity", and as we all know, that scheme is doomed to failure. My idea is security through information proliferation. Let's practice what we preach, and open-source/GPL our "personal data" simultaneously allowing anyone to view or use it, and insodoing, render it unusable and useless.
Supposition 1: Personal data is a commodity because it's unique to the individual it regards.
Supposition 2: Personal data must be safeguarded because people use it to demonstrate that they are whom they claim to be, that is, to identify people uniquely, to facilitate transactions which either immediately, or ultimately involve the exchange of money, goods, or services, etc.
Conclusion: Personal data is desirable to people who should not have it, for their own financial gain at your expense.
Countless instances of identity theft bear out my conclusion. Now...
Posit: What if, since we can't conduct business efficiently in the world today the way things are going, and since we can't count on business or government to take care of our personal data, we scortch the earth, so to speak. That is, what if we, as a group, post all our so-called "sensitive data" to a website on the internet, and perhaps even have someone verify that it's accurate, then inform credit-reporting agencies, banks, and other financial institutions that the information has been compromised, and place fraud alerts on all our record-files.
It's OUR information afterall, if we want to disseminate it, that's our business. Now, if everyone has access to it, no one can prove the person in possession of it is really any particular person, it becomes VALUELESS.
Anyone who extends credit without adequately verifying that the applicant is who he/she says he/she is, will be liable for all damages since they have a duty to know, and reasonably SHOULD know that the person's information was compromised. I'm not be a lawyer, but if there are any lawyers reading this, you can argue whether or not this idea is valid.
When software companies treat their code the way we collectively treat our personal information, we in the
Or is someone already doing this?
Discuss.
~Hal
Given reports that TSA employees steal travellers' items, I wouldn't be surprised the hard drive was stolen by insiders, seriously.