CXO

Proving it's hard to prevent stupid: Military medical records stolen from car

The records of military service members were stolen through sheer carelessness. Read Bob Eisenhardt's sobering take on the data security lapses committed in this major breach.

Just recently, I became aware of a security scandal of major proportions regarding a frightening breach of medical data that is well worth our collective thought and darkest fears.

Scientific Applications International Corp, better known as SAIC (those wonderful folks who gave New York City the financial black hole known as CITYTIME) has a disaster on it's hands. The medical records of our soldiers have been breached. Stolen in point of fact. How?  Some hacker sitting in a room in China breaching the firewalls? Some theft through a website attack? An HP OfficeJet printer hack?

Here is the insidious theft recipe. Take an open car door, add a few backup tapes on the seat, and park in a hot car for a few hours. Serves one.

First, the scope of the theft: 4.9 million records, military service members, between 1992 and September 14, 2011 in San Antonio, Texas. The cutoff date is absolutely precise. While credit card data was not accessed (so they say), other data such as Social Security numbers were stolen.

Astonishing fact: the data itself was unencrypted because SAIC claims they do not have the capability to encrypt the data to government standards. SAIC is nothing but government work and has major defense contracts with the Pentagon. To claim they lack the encryption standard is amazingly lame. But dear reader, worse is to follow.

This is a major scandal that has received almost zero media publicity. Somebody opened the car door and took the tapes along with a stereo and GPS device. It's that easy folks. For all of our intelligence with technical details, impregnable firewalls, for locking down data through encryption, an open car door does it every time. For all of our supposed intelligence ... fools rule.

Here is the news link - read this and weep.

http://www.scmagazine.com.au/News/275269,five-million-unencrypted-us-soldier-records-stolen-from-car.aspx

Since starting this heart-wrenching report, I have uncovered more details, all totally depressing. Apparently an SAIC worker was carrying the tapes offsite to transport them from one secure location to another secure location. Point to Point?  I have a big problem right here as the tapes were left in the car parked at 300 Convent Street in downtown San Antonio ALL DAY from morning to evening when the theft occurred on September 13th, and not reported until September 14th. It did not take all day to deliver the tapes.

Secondly, does anyone know there is a hot thing called a Sun above us, and that San Antonio is a hot location!! Tapes do not survive well in heat. Since data tapes are used in disaster restoration situations, even if the tapes were not stolen, we can potentially toss that one out the window as well. But, it gets worse as if that is possible.

One observer was hard pressed to state that "simple carelessness" was one answer.  Oh, really?

The remediation advice is equally lame. Douglas Pollack, CEO of ID Experts, Inc. said that most data theft comes from "stupid stuff ... mundane human issues such as theft of a laptop or a thumb drive." As Leroy Jethro Gibbs of NCIS would observe, " Ya think?" ID Experts has recommended that "SAIC and TriCare perform periodic assessments to help identify the risks involved with transporting massive amounts of sensitive health care information in a non-secure manner." I don't think that a more bland assessment statement has ever been released, although the Soviet response to Chernobyl or the Kursk sinking may come a close second.

Stupid stuff is the line item we have THE MOST CONTROL OVER. In the world of tech security, I often believe that we are always 5 or 10 minutes BEHIND the bad guys, that no matter how good our firewalls and websites, somebody out there is already finding a hole that none of us has yet to consider.  We can never attain 100% lockdown. But in this instance we have absolute control of the causes for data theft.

I hesitate to even venture my response, but here goes. Employ encryption even if only on the data transfer level to STORAGE media. Since tapes fail 47% of the time, only employ secure and encrypted hard drives. When in transport, place media in a secure, locked box that cannot be seen from the outside of the vehicle. While in transport, point to point security is MANDATORY, drive from location to location with sign-in and sign-out authentication and time stamps. Hand off to secure personnel at the storage location, and store locked in view of such personnel. Employee is then mandated to return immediately to work or other duties as assigned. Employee is signatory responsible for the data.

I just don't know anymore, maybe I am too smart for government work after all. Maybe I will park my car in town with a few laptops visible and see how long they last. At least my survey results will be valid.

Editor's Picks