TSA Loses Hard Drive With Personnel Info

WrongSizeGlass writes "A portable hard drive containing personnel data for former and current employees, went missing from a controlled area at the TSA. From the article: 'The Transportation Security Administration has lost a computer hard drive containing Social Security numbers, bank data and payroll information for about 100,000 employees.'"

Encrypted ?

[messner_007]

There is no problems if the disc was encrypted ...

Re:Encrypted ?

[cp.tar]

All your files are belong to us?

Re:Encrypted ?

[tverbeek]

There is no problems if the disc was encrypted ...

...or formatted with HFS+. No one would ever think of mounting the drive on a Mac, and Windows will show the drive as "unformatted". :)

Re:Encrypted ?

[Tuoqui]

Encryption is not undefeatable.

The entire idea behind encryption is to make it difficult/impossible to the casual hacker. If someone were dedicated to get into the information contained within however it would only be a matter of two variables... Time and Processing power.

Encryption is not a silver bullet to any and all security problems, it just mitigates some of the risk. If they cant crack the encryption within 20 years then most of the info would be useless by then. If they can do it in 3 months then its a problem...

Re:Encrypted ?

[inviolet]

The entire idea behind encryption is to make it difficult/impossible to the casual hacker. If someone were dedicated to get into the information contained within however it would only be a matter of two variables... Time and Processing power.

Brute-forcing is for chumps. (Well, assuming your average chump has a grid computer and a few years to spare). Real Men use social engineering to get secret keys.

The TSA has a notoriously shallow understanding of security, because they need to put on a demonstration of security that ordinary people -- who don't understand it either -- will find calming. So you just know that the TSA is plenty vulnerable to the "Hi I'm from IT" call to the receptionist.

Re:Encrypted ?

[malcomvetter]

There is no problems if the disc was encrypted ...

Wrong. Encryption is only as good as the key. Or in practical cases, only as good as the password that protects the key. And in all likelihood (like most enterprises) they key is probably managed in such a way that dozens of people could have accessed it, especially if it was shared "enterprise" data.

Security people turn to crypto as the answer to everything. It isn't. Even cryptographer Bruce Schneier lamented that mistake in the opening of his book Secrets and Lies. Cryptography should always be a last resort. Encrypted data is not protected forever. At a maximum, the lifespan of its protection is limited by Moore's Law. At a minimum, the key management.

This data should not have resided upon drives that were removable without notice. Period. Forget about crypto.

I have said this before, and I'll say this again: we (the IT industry) created a problem with mobile computing. We allow data to be stored on mobile devices in a distributed computing environment and then years later (after we realize the problem we created), we freak out and throw magic crypto fairy dust at the problem. Encrypted hard drives are only as good as they keys that protect them. Since enterprises need the flexibility of a large support staff, many people will have access to the keys. And since the products are designed to run so that even computer illiterate users will use the software, a shoulder-surfer can backdoor the whole process. The best way to protect this data ... and we all know it, most of us just refuse to accept it ... is to return to the mainframe days and centralized computing. If that data stayed on a central SAN and the environment was not set up for removable drives, then this would not be news.

Re:Encrypted ?

[8ball629]

I'm sure whoever stole it knows what it was mounted to previously.

Its just another statement that if you....

[3seas]

... have a digital identification, and most everyone does, you have to be alert to possible wrongful use of it by others.

Considering all the past digital leaks, I got wonder who hasn't had information on them digitally leaked?

Captain Obvious says :

[witte]

Maybe using Social Security numbers for just about everything isn't such a good idea.

And in the UK today too

[AmIAnAi]

A BBC article disclosed that a laptop had been stolen that contained Marks & Spencer employee details

From the BBC article:

Salary details, addresses, dates of birth, national insurance and phone numbers were on the machine which was stolen from a printing firm.
It is now too easy for huge quantities of private data to be carried around on laptops and memory sticks, often by people who do not understand the consequnces of failing to protect that data. Companies need to be held to account when data is lost.

Re:Wait...

Are you stoned? Theyve lost control of important data that was supposed to be secure. Thats a security breach.

Physical Security

[Detritus]

Even if you have decent physical security, some items will attract thieves. Anything shiny and portable is likely to walk out the door. A portable disk drive is a good example of a thief magnet.

The problem isn't using the SSNs

[MarkByers]

Using Social Security Numbers for everything isn't such a bad idea. It is a convenient way to identify someone, since it is guaranteed to be unique. The problem comes when the SSN is the only piece of information you need to take control over someone's life. There should be some more basic checks put in place to ensure the person is who they claim to be. An example could be mailing the person at their last known address and asking them to send a letter back with an authorised signature on a document that explains what is about to happen. When these basic checks are missing, it is no wonder it is so easy to steal another person's identity.

Re:The problem isn't using the SSNs

[cellocgw]

Using Social Security Numbers for everything isn't such a bad idea. It is a convenient way to identify someone, since it is guaranteed to be unique.
It may be unique, but it is most definitely NOT an identifier. Everyone over the age of about 45 (I forget the exact year) got a SSN by asking for it. The original intent of the Social Security Card was to let you and your employer (and Uncle Sam) track your earnings and taxes on said earnings. There was no proof of identity involved. I could have created a SSN for Lrac W. (instead of Carl, get it :-)) and nobody would have cared.
Personally I think it was a disastrously stupid move to make SSNs legal identification. The bloody things don't have fingerprints, photos, DNA, or anything at all that prove who you are.

Ha! Ha!

[mobby_6kl]

Now they'll experience how it feels to be on the receiving end of violation of privacy!

Portable HDD?

[bulliver]

There's your problem. I can see the allure of using a portable drive, in that you can easily move the data around from computer to computer, but really, we have a better way to move the data: The bloody network! That HDD should have been screwed into a locked case mounted in a rack bolted to the floor of a securely locked room.

Re:Portable HDD?

[florescent_beige]

There is a pretty good reason to carry data around on a removable drive. It's cheap bandwidth.

I know this because we used to do streaming backups to an offsite location (one of the guys' houses (we are a (very) small business)). The DSL we used had a download speed on his end of about 1Mb/s. That is .125MB/s. Carrying a 120GB drive home every night, assuming the drive is one hour, has a bandwidth of 34MB/s or about the speed of a T4 line. It's also essentially free because the amortized cost of the drive and caddy over a few years is about zero.

Put Management's Data In The Databases

[NeverVotedBush]

Why does it take a data breach happening to some organization to get them to decide to protect information?

Maybe a law should be made that any organization that is trusted with public data be forced to imbed all of their CEO's, CFO's, other officers, management, and shareholder's data in the same databases.

I know that the reason all this data keeps getting exposed is because management would rather save money instead of training their IT staff (if they need it) or just giving them the time to implement good, safe, data handling practices. Put their data on the line too and let's see how they decide about safe data handling practices.

More security

[blhack]

I'm still waiting for the day when full drive encryption becomes standard. You power the machine on, input a password (or insert a USB key and input a password) and the machine then continues normally. While this might not stop completely determined information thieves, it should put an end to drives full of personal info showing up on ebay. What would be even better is if it became required practice for anyone working with sensitive data like that.

some people never learn

[Isaac-Lew]

Why would this information even on a portable drive? And why would it not be encrypted?

This is why I try not to use my Social Security number for identification purposes anymore. I really should try to figure out who has it & what I can do to reduce the use of it.

This bears repeating

[lawpoop]

Wayne Madsen is maintaining a chart of data thefts of personal information. He lists 3 or 4 dozens thefts. He believes these thefts are an attempt to populate the Total Information Awareness databases.

Never ascribe to incompetence what can be explained by malice, I guess.

One-time pad encryption is unbreakable

[davidwr]

I don't think you need unbreakable encryption for financial data, but for state secrets, a removable-drive one-time pad that is chained to the operator will do the trick.

For anything less than a state secret, you want something that only the most well-funded adversary can break in a reasonable length of time. You get to define "reasonable."

supposed to be unique, not always

[davidwr]

SS#s are supposed to be unique. They aren't recycled.

Every now and then you find out about a SS# that is not unique. The SS office issues new number to one or both individuals and mea culpas all around. See this news story for one example.

Why was this on a portable HD in the first place?

[wwphx]

I've been in gov't IT for 15 years, this should never have left the server farm. If it had to be on a portable device, it should have been a laptop and heavily encrypted, not that I can see a good reason to give anyone that info. The retirement planning people can make do with very little info.

Re:Disk Encryption

[tomstdenis]

or not wander around with an HD with sensitive data on it? That's just mental. That data should be housed only in a secure facility with only remote secure access to it.

It's plain stupidity and lazyness that compels people to defy the simplest rules of security.

Tom

You can't make this stuff up, folks

[Master+of+Transhuman]

I'm waiting for the news story that says the Department of Homeland Security just lost a hard drive with the personal information of every Federal agent in the government and all the White House security information on it.

These people are morons. Their sole purpose in life is to screw up while pushing other people around with self-righteous notions that THEY are the ones "protecting" everybody else.

It's the "cop mentality" writ large - which is the same basic mentality as a Mafia protection racket.

Re:You can't make this stuff up, folks

[chill]

If that does happen -- and hasn't already -- you will NEVER see a story on it. The reporter that runs that will find every lead, every contact and every story from the gov't sector totally dry up. Press credentials would be revoked and they'd probably get a "random" audit from the IRS, along with the census fill-it-all-out-or-go-to-prison long form. They'd be lucky if they could get a local dog catcher to talk to them.

Re:It's astounding..

[mikkelm]

Any system that could leave hundreds of thousands of private records anywhere but in a centralised and secured database seems pretty bad to me. Luckily anything else is against the law where I'm from.

The untold story

[sjames]

Apparently the screeners were distracted when someone tried to enter the area with a photo of a shampoo bottle and so they didn't notice the theft. According to the DHS, the photo was probably inserted into the shampoo ad by an al-Queda operative.

Gov't infiltration?

[wwphx]

I'm sure people at the Fed level have been reading /. for as long as it's been up. I've been on since we first got the web in the early 90's. I've only been at the state and city level, never the fed level.

As a network and database admin, I've found it to be pretty darn important. I first read about I Love You at 7am at work when it sprang, told our security admin who doesn't read /. (or at least he didn't at that time) and he went and yanked the outside connection to our firewall. It did hit us, but very lightly compared to the rest of the city and for some reason the payload did effectively no damage.

Slashdot is important, regardless of for whom you work.