Theft of Storage Media Containing PII
By Steve Muck - Published, November 29, 2009
The following is a recently reported compromise of personally identifiable information (PII) involving the theft of storage media containing personal information. Names have been changed or removed, but details are factual and based on reports sent to the Department of the Navy Chief Information Officer Privacy Office.
The Incident
On July 27, 2009, the DON CIO Privacy Office received a breach report that initially was thought to be one of the DON's largest and most egregious to date. While only sketchy details were received in the first report, the DON CIO alerted the Under Secretary of the Navy, Navy Chief of Information (Public Affairs), Naval Criminal Investigative Service (NCIS) Headquarters and the Defense Privacy Office, then waited for updates to come in. Here is a summary of what was first reported:
"A headquarters complex was burglarized over the weekend. Numerous items, including storage media, were stolen from our workspaces. Police and local NCIS have been contacted. At least 10 laptops and 9 external hard drives were stolen. One laptop contained a file with approximately 60 system passwords/usernames/secret words along with the link to the related sites; a file that contained personal financial data including bank accounts, investment accounts, credit cards, salaries for myself and my wife, expenses, gifts and overall balance sheet.
The file also contained links to the various financial institutions, as well as passwords/usernames/secret words and phone numbers; my entire contact list which included work and personal cell phone numbers, addresses, and personal notes, such as birthdates for friends and family; a file that recorded my lifetime government pay, bonuses, awards, promotions and salary; 'government only' contract sensitive information; discrimination and hostile work environment correspondence and a host of other privacy or sensitive information."
This incident was most disturbing because it involved theft and appeared to target storage media that held large amounts of data that were easily transportable. Follow-up reports provided a much better outlook with regard to potential damage to the DON and to affected personnel.
In the final analysis, only one laptop contained PII that was considered "high risk," affecting eight individuals. Most of the stolen storage media were either brand new (still in the box) or encrypted with the GuardianEdge encryption solution. An investigation is ongoing to identify the perpetrators.
Lessons Learned
- Insider threats continue to cause the most concern with regard to PII data and the high potential for identity theft.
- Physical security plans must be continually scrutinized and updated.
- As a best practice, never store your PII on a government computer.
- Personnel should never store unencrypted passwords/usernames/secret words and links to URLs on a government computer.
- External hard drives are becoming as vulnerable as thumb drives; a best practice should be to physically secure them at the end of each workday.
- Regardless of who owns the equipment, inventory controls must be in place and tightly enforced.
Full disc encryption works. The theft of storage media containing PII with data at rest encryption should be reported to the U.S. Computer Emergency Readiness Team (US-CERT) within one hour even though it is generally not considered a high-risk event.
Steve Muck is the DON CIO privacy team lead.