Slashdot Mirror

← Back to Stories (view on slashdot.org)

TSA Loses Hard Drive With Personnel Info

Posted by CowboyNeal on from the living-up-to-their-name dept.

WrongSizeGlass writes "A portable hard drive containing personnel data for former and current employees, went missing from a controlled area at the TSA. From the article: 'The Transportation Security Administration has lost a computer hard drive containing Social Security numbers, bank data and payroll information for about 100,000 employees.'"

10 of 123 comments (clear)

  1. Put Management's Data In The Databases by NeverVotedBush · · Score: 3, Interesting

    Why does it take a data breach happening to some organization to get them to decide to protect information?

    Maybe a law should be made that any organization that is trusted with public data be forced to imbed all of their CEO's, CFO's, other officers, management, and shareholder's data in the same databases.

    I know that the reason all this data keeps getting exposed is because management would rather save money instead of training their IT staff (if they need it) or just giving them the time to implement good, safe, data handling practices. Put their data on the line too and let's see how they decide about safe data handling practices.

  2. More security by blhack · · Score: 2, Interesting

    I'm still waiting for the day when full drive encryption becomes standard. You power the machine on, input a password (or insert a USB key and input a password) and the machine then continues normally. While this might not stop completely determined information thieves, it should put an end to drives full of personal info showing up on ebay. What would be even better is if it became required practice for anyone working with sensitive data like that.

    --
    NewslilySocial News. No lolcats allowed.
  3. Re:Encrypted ? by tverbeek · · Score: 2, Interesting

    There is no problems if the disc was encrypted ...
    ...or formatted with HFS+. No one would ever think of mounting the drive on a Mac, and Windows will show the drive as "unformatted". :)
    --
    http://alternatives.rzero.com/
  4. One-time pad encryption is unbreakable by davidwr · · Score: 2, Interesting

    I don't think you need unbreakable encryption for financial data, but for state secrets, a removable-drive one-time pad that is chained to the operator will do the trick.

    For anything less than a state secret, you want something that only the most well-funded adversary can break in a reasonable length of time. You get to define "reasonable."

    --
    Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
  5. supposed to be unique, not always by davidwr · · Score: 3, Interesting

    SS#s are supposed to be unique. They aren't recycled.

    Every now and then you find out about a SS# that is not unique. The SS office issues new number to one or both individuals and mea culpas all around. See this news story for one example.

    --
    Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
  6. Re:Encrypted ? by malcomvetter · · Score: 2, Interesting

    There is no problems if the disc was encrypted ...

    Wrong. Encryption is only as good as the key. Or in practical cases, only as good as the password that protects the key. And in all likelihood (like most enterprises) they key is probably managed in such a way that dozens of people could have accessed it, especially if it was shared "enterprise" data.

    Security people turn to crypto as the answer to everything. It isn't. Even cryptographer Bruce Schneier lamented that mistake in the opening of his book Secrets and Lies. Cryptography should always be a last resort. Encrypted data is not protected forever. At a maximum, the lifespan of its protection is limited by Moore's Law. At a minimum, the key management.

    This data should not have resided upon drives that were removable without notice. Period. Forget about crypto.

    I have said this before, and I'll say this again: we (the IT industry) created a problem with mobile computing. We allow data to be stored on mobile devices in a distributed computing environment and then years later (after we realize the problem we created), we freak out and throw magic crypto fairy dust at the problem. Encrypted hard drives are only as good as they keys that protect them. Since enterprises need the flexibility of a large support staff, many people will have access to the keys. And since the products are designed to run so that even computer illiterate users will use the software, a shoulder-surfer can backdoor the whole process. The best way to protect this data ... and we all know it, most of us just refuse to accept it ... is to return to the mainframe days and centralized computing. If that data stayed on a central SAN and the environment was not set up for removable drives, then this would not be news.

  7. Re:Wait... by Actually,+I+do+RTFA · · Score: 1, Interesting

    Isn't it better to report all possible breaches, including false alarms, so things can be dealt with earlier (and cheaper)?

    --
    Your ad here. Ask me how!
  8. Re:Portable HDD? by florescent_beige · · Score: 2, Interesting

    There is a pretty good reason to carry data around on a removable drive. It's cheap bandwidth.

    I know this because we used to do streaming backups to an offsite location (one of the guys' houses (we are a (very) small business)). The DSL we used had a download speed on his end of about 1Mb/s. That is .125MB/s. Carrying a 120GB drive home every night, assuming the drive is one hour, has a bandwidth of 34MB/s or about the speed of a T4 line. It's also essentially free because the amortized cost of the drive and caddy over a few years is about zero.

    --
    Equine Mammals Are Considerably Smaller
  9. Re:The problem isn't using the SSNs by cellocgw · · Score: 2, Interesting

    Using Social Security Numbers for everything isn't such a bad idea. It is a convenient way to identify someone, since it is guaranteed to be unique.
    It may be unique, but it is most definitely NOT an identifier. Everyone over the age of about 45 (I forget the exact year) got a SSN by asking for it. The original intent of the Social Security Card was to let you and your employer (and Uncle Sam) track your earnings and taxes on said earnings. There was no proof of identity involved. I could have created a SSN for Lrac W. (instead of Carl, get it :-)) and nobody would have cared.
    Personally I think it was a disastrously stupid move to make SSNs legal identification. The bloody things don't have fingerprints, photos, DNA, or anything at all that prove who you are.

    --
    https://app.box.com/WitthoftResume Code: https://github.com/cellocgw
  10. Gov't infiltration? by wwphx · · Score: 2, Interesting

    I'm sure people at the Fed level have been reading /. for as long as it's been up. I've been on since we first got the web in the early 90's. I've only been at the state and city level, never the fed level.

    As a network and database admin, I've found it to be pretty darn important. I first read about I Love You at 7am at work when it sprang, told our security admin who doesn't read /. (or at least he didn't at that time) and he went and yanked the outside connection to our firewall. It did hit us, but very lightly compared to the rest of the city and for some reason the payload did effectively no damage.

    Slashdot is important, regardless of for whom you work.

    --
    When you sympathize with stupidity, you start thinking like an idiot.