Insider Threat

By Steve Muck - Published, February 20, 2009

The following is a reported loss or breach of personally identifiable information (PII) involving a Department of the Navy information system with lessons learned from the event. Names have been changed or removed, but details are factual and based on reports sent to the DON Privacy Office.

A former civilian contractor, working in support of the Navy Marine Corps Intranet (NMCI), obtained personally identifiable information associated with approximately 17,000 individuals. The PII was downloaded to a thumb drive and consisted of names associated with Social Security numbers, home addresses and other data elements.

The contractor, who had a criminal record, then attempted to sell this information to an individual he believed to be a foreign spy, but who was actually a law enforcement official. The contractor was arrested April 18, 2008, and was later found guilty of aggravated identity theft and exceeding authorized access to a computer for personal gain. He is now awaiting sentencing.

The conviction for exceeding authorized access to a computer for financial gain carries a maximum sentence of five years in prison. Aggravated identity theft carries a mandatory two-year sentence that must be served consecutive to any sentence imposed for the charge of exceeding authorized access. Both counts also include maximum fines of $250,000. A maximum sentence of incarceration for seven years is possible.

This breach attracted national media attention and demonstrated how the insider threat is potentially more damaging than breaches involving human error.

A joint investigation by the Naval Criminal Investigative Service and Federal Bureau of Investigation found that the contractor also sent screenshots of PII to two e-mail addresses of individuals who did not have a need to know and with the intent to sell the contents of the entire database.

The individuals whose PII was compromised via the two e-mails have been notified. The investigation concluded that the bulk of the database was not compromised.

Lessons Learned

• The insider threat, with access to large amounts of privacy sensitive data, poses a significant and real danger to the Department of the Navy.
• Defense Department and DON policy require personnel who access PII to receive a favorable personnel security investigation. The background check for the individual involved in this incident was not initiated. See DoD Directive 5200.2-R, DoD Personnel Security Program, and Secretary of the Navy Manual, Personnel Security Program, SECNAV M-5510.30, for details of this security guidance. Increased awareness of DoD and DON policy is recommended.
• Contract language clearly identified the need to conduct a security investigation for personnel hired to fill the contractor position, but it was not initiated. Improved contract oversight is needed.
• A base security access system that accurately screens criminal offenders was not available and would have provided another means to prevent the perpetrator from gaining access to the base and NMCI network.

TAGS: Cybersecurity, IDManagement, Privacy