The following narrative is a recently reported Personally Identifiable Information (PII) data breach incident involving identity fraud committed by a Navy service member who had authorized access to Department of the Navy (DON) PII. Insider threat incidents are increasing and are very difficult to prevent. Incident case studies such as this are reported in CHIPS to increase PII awareness. They are based on reports sent to the DON Chief Information Officer (CIO) Privacy Office.
Background:
In August 2014, a Navy service member who had previously been serving as the command credit card program administrator was detached from his command and was placed on legal hold for one year pending investigation for government credit card fraud (4 counts). In August 2015, the member received a bad conduct discharge and was confined to a Navy brig.
The Incident:
During his confinement, his partner found a cache of sensitive PII documents that he had left in her apartment, and promptly reported it to the Naval Criminal Investigative Service (NCIS).
PII contained in the various documents consisted of Social Security numbers (SSNs), birth dates, home addresses, phone numbers, email addresses, mothers' maiden names, medical records, and financial information, including bank and credit card information. Former and current command personnel have been negatively impacted by this incident.
Actions Taken:
- The DON Privacy Office directed that affected personnel be notified of the breach.
DON senior leadership was notified due to the nature of the breach and its impact on DON personnel.
- In response to this and other PII incidents, the DON CIO began a compliance and awareness campaign to increase the understanding of the importance of safeguarding PII throughout the department.
Lessons Learned:
- Supervisors can mitigate the misuse of PII by closely monitoring personnel who, by the nature of their jobs, have authorized access to sensitive PII such as SSNs, financial data, etc. They should also remind employees that reporting security concerns, including the misuse of PII, is critical to preventing identity fraud.
- DON personnel must know that if they see suspicious activity, they must report it to their supervisor.
- Implementing technology solutions to detect access of PII can be effective tools to deter identity fraud.
- The DON’s increased use of automated user activity monitoring under the DON Insider Threat Program should decrease fraudulent use of PII within the department.
According to the Federal Bureau of Investigation (FBI), there are warning signs and behaviors that may predispose personnel to committing identity fraud including:
- Working odd hours such as coming in earlier or leaving later than their coworkers.
- Living beyond their means.
- Excessive debt.
- Experiencing personal crises or career disappointments.
- Exhibiting compulsive and destructive behavior such as drug or alcohol abuse or other addictive behaviors.
- Approaching retirement or separation from service.
DON Identity Theft Resources:
The Department of the Navy Civilian Employee Assistance Program (DONCEAP) offers free 24/7 identity theft confidential consultations and referrals for DON civilian employees and their family members. The identity theft and fraud resolution program provides legal, financial, and identity theft services.
Services are offered as a benefit from the Department of the Navy to you and your family members. View more information on DONCEAP Identity Theft Support here.