This article discusses a recent Department of the Navy (DON) Personally Identifiable Information (PII) breach involving a ring of identity thieves caught with stolen DON military members’ records in their possession.
Incidents such as this will be reported in each edition of CHIPS to increase PII awareness. Names have been changed or omitted, but details are factual and based on reports sent to the Department of the Navy Chief Information (DON CIO) Privacy Office.
The Incident
The breach occurred within the past year when a local police department was called to a hotel. There they discovered individuals with cameras, computers, identity card making equipment, and stolen documents, not only belonging to members of the public, but those of 53 DON military service members. Documents were dated from 2011 and 2012 and contained Social Security Numbers (SSNs) and other sensitive PII.
The individuals involved were a known ring of criminals and had previously been characterized as well-established and sophisticated. There was evidence of social media data mining to obtain additional personal information. There was also evidence of falsified driver’s licenses, credit and debit cards.
Actions Taken
Three arrests were made but a trial date has not been set.
No reports of suspicious or fraudulent financial activity have been reported by the affected service members.
There was reason to suspect that a military member “insider” might have been the source of the stolen military records found. However, no evidence has been discovered to support that claim.
All personnel impacted by the breach received written notification letters per DON policy.
Lessons Learned
Supervisors must remain vigilant, observing and overseeing their employees when they have access to sensitive information, such as PII, noting and reporting any suspicious behavior. The “insider threat” is real.
DON personnel should check financial accounts periodically for any suspicious or fraudulent activity.
The following statistics illustrate just how prevalent identity fraud has become in the United States.
The Bureau of Justice Statistics (BJS) reports that:
- Seven percent of adults (12 million) were victims of identity fraud in 2012.
- 85 percent of identity fraud cases involved the use of existing accounts such as credit card or bank accounts.
- 29 percent of identity fraud victims spent a month or more resolving credit problems.
The Federal Trade Commission (FTC) reports that:
- Government documents/benefits-related fraud was most common at 46 percent, with credit card fraud at 13 percent.
- The Miami/Ft Lauderdale area had the highest incidence of identity fraud in 2012.
Javelin Strategy & Research reports that:
- One in four data breach victims became identity fraud victims.
- Three out of every five victims did not know the source of their identity fraud.
- One in seven identity fraud thieves were known by their victims, this is also known as “Friendly Fraud."
- More than50 percent of identity fraud victims detected fraud using financial alerts, credit monitoring, or by monitoring their own accounts.
Paper records no longer required or those that have reached their retention schedule date should be rendered unrecognizable or beyond reconstruction in accordance with Secretary of the Navy Instruction (SECNAVINST) 5211.5 series, Department of the Navy (DON) Privacy Program.
Semiannual privacy compliance spot checks help ensure documents containing PII are safeguarded properly and only available to those with an official need to know.
Leadership must ensure all assigned personnel complete mandatory annual privacy awareness and information assurance training.
Privacy resources can be found on the DON CIO website at www.doncio.navy.mil/privacy.
Steve Daughety is the privacy lead for the Department of the Navy Chief Information Officer.