May 13, 2010

A laptop stolen from a government contractor last month contained names, addresses and Social Security numbers of more than 207,000 U.S. Army reservists, Krebsonsecurity.com has learned.

The U.S. Army Reserve Command began alerting affected reservists on May 7 via e-mail. Col. Jonathan Dahms, chief public affairs for the Army Reserve, said the personal data was contained on a CD-Rom in a laptop that was stolen from the Morrow, Ga. offices of Serco Inc., a government contractor based in Reston, Va.

The laptop was one of three stolen from the Serco offices, but it was the only one that contained sensitive personal information, Dahms said.

Serco held the data on reservists as part of its contract with the U.S. Army’s Family and Morale, Welfare and Recreation division. As a result, Dahms said, some of the data on the missing laptop may belong to dependents and spouses of U.S. Army reservists.

The e-mail sent to affected service members expresses regret over the incident, but offers little other consolation. From the letter:

The Army takes this loss very seriously and is reviewing current policies and practices with a view of determining what can or must be changed to preclude a similar occurrence in the future.

At a minimum, we will be providing additional training to personnel to ensure that they understand that personally identifiable information must at all times be treated in a manner that preserves and protects the confidentiality of the data.

Dahms said, however, that the Army is looking at further steps to protect the identities of those whose personal information was potentially exposed by the theft, although he declined to name any specific solutions.

“We did have an extensive meeting with all key staff at U.S. Army Reserve Command to see what we can implement to make sure our soldiers and families are protected,” he said.

More than seven million consumer records have been exposed in at least 264 data breaches so far this year, according to the latest figures from the Identity Theft Resource Center, a San Diego nonprofit.  The ITRC has tallied some 38 other incidents of data loss or theft involving the government and/or the military so far this year, breaches that exposed nearly 300,000 records.


34 thoughts on “Stolen Laptop Exposes Personal Data on 207,000 Army Reservists

  1. Sticky©

    I understand that is really hard to keep an eye on every contractor you rely on but how it is possible to give away sensitive informations without enforcing restrictive security policies?

    You want to work with me? Ok, you have to follow those rules, no questions.
    We’re talking about names and SSNs plain written on a cd… It is so hard to enforce cryptography for sensitive data?

    Quickest solution: install Truecrypt, put sensitive information on a mounted partition and the burn the partition file. Whoever “find” the cd will see 700MB of useless data.

    1. Infosec Pro

      It ain’t so easy.

      Do your Truecrypt thing. Then find yourself in the wrong place at the wrong time when somebody drives drunk. What happens to access when you become unavailable?

      Yeah I know about key escrow and such, it ain’t easy and takes work which means cost and that reduces profit unless the contract specifies it won’t get done. Writing those contract specs takes work, time, money, so it delays project and adds bureaucracy – are those a good thing?

      It’s easier to criticize than it is to get it right!

      1. Jane

        Full drive encryption doesn’t have to mean that only one person has access. That could be the case with a laptop for personal use, but it doesn’t have to be on a company computer.

        1. Infosec Pro

          @Jane, yep, been there done that. It takes work, time and effort and money. Not as easy as just downloading Truecrypt, which was the OP suggestion to which I responded with “it ain’t that easy”. You validated my point by introducing the requirement for corporate infrastructure and/or policy for key mgmt etc.
          It is doable but not easy to do right, hence will be done reluctantly if at all. Far as I know the bank has made little progress on their implementation since I left, not much when I was there and pushing it.

          1. DS

            A little bit of over thinking here, don’t ya think? At min. the data should have been encrypted, period. Serco is now a headline. Whats the cost there Infosec Pro?? How much time is Serco going to spend making it right? Sufficient encryption is a legal safeharbor, a best practice, and an industry norm today. No brainer. This is a silly debate.

  2. Andy

    An excellent suggestion. But why aren’t they using encryption already? It should be standard. And we have had similar occurrences in the UK. When will the contract be terminated? Surely encrypted data protection should be included in the contract when data such as this is being held?

    1. Max

      I agree. Having served in the active world I ponder why the reservists & guard are just letting sensitive data go about without any protection. I know my unit was very big on OPSEC (operational security) & we never stored any sensitive data on personal HDD’s. It was always kept on issued thumb drives that were encrypted & this was in a “dumb grunt” infantry unit. If some how the enemy were able to get their hands on an officer’s laptop all they’d get were games & maybe after some poking around his hidden porn collection. No maps, no mission details, nothing of any strategic value in the grand scheme of things. If we’re going to be hiring contractors & entrusting them with sensitive data they’d better be following OPSEC. If any violations of this magnitude occur they had better be followed with instant contract termination. The potential cost in lives far outweigh the costs of hiring a new contractor to start from scratch.

  3. emv x man

    “The Army takes this loss very seriously and is reviewing current policies and practices with a view of determining what can or must be changed to preclude a similar occurrence in the future.”

    It’s a great shame the army didn’t take the matter seriously enough to have current policies that might have been useful in preventing it in this case.

    Why is government and it’s legions synonymous with too little too late; followed by an earnest investigation that will take too long and culminate in too little.

    1. Infosec Pro

      How many of the 264 data breaches BK cited were private sector?

      Maybe it’s that the government reports stuff private industry sweeps under the rug?

      Both private sector and government will do the easiest cheapest alternative until the results force improvement.

      Government looks worse because transparency is forced upon public agencies whereas private business hides their misdeeds until the public interest forces regulatory oversight in response to the consequences.

  4. Jim

    This type personal information should not be serviced with a portable device. How stupid can a contractor be? All entities responsible for sensitive personal information should be mandated to use a secure system other than portable.

    1. Infosec Pro

      Unrealistic given a mobile workforce, telecommuting and business travel. Tying to a desktop would increase cost, both private sector and government are going the other way.

      Besides even desktops get stolen, sometimes from reasonably secure premises. I had a client who lost a bunch of high end desktops as the target of an armed robbery premises invasion a few years ago (envision ops mgr working late with gun in face).

      There is no silver bullet or magic pixie dust to prevent this. Imagine cloud computing as the solution?

  5. john

    As other commenters have noted, there is adequate technology available to prevent this type of loss. Army may be different, but most federal contracts contain provisions requiring vendors like Serco to protect the data they are given. There are penalties for failure. The question is whether the Army will enforce the contract.

    It’s not encouraging that the Army’s response says nothing about improving contract oversight.

    1. Infosec Pro

      Without knowing contract language it is pure speculation whether there is a contract oversight issue.

      If the contract language specified imprecisely (eg “exercise due care” or even “follow commonly accepted practice”) the attempt to impose sanctions would enrich lawyers arguing what those mean in technical terms. The COTR is unlikely to open such a can of worms absent egregious misconduct.

      Btw how many of you negotiate contracts specific to the level of technical infosec implementation details? And then update the language as technology evolves (eg replace DES with triple-DES and the AES)?

      Let he who is without sin throw the first stone.

  6. Infosec Pro

    Is it known fact that the data was not encrypted?

    Is it possible that prudent legal practice would report and notify in the event of loss of encrypted sensitive content?

    Should it?

      1. Infosec Pro

        So data was on CD? I missed that detail in original report. Laptop theft was incidental, data on CD is almost as portable as thumb drive, much more serious concern that’s been overlooked.

  7. Christine

    I think many of the government employees are issued laptops as desktop alternatives. This theft occured out of the work place, not the employee’s (contractor’s) home. So beyond having a locked office (and the Army is big on cube famrs) you’re hoping your computer won’t just walk off. There is no reason for the data not to be encrypted though – that’s a no-brainer.
    I just hope they figure out who was really affected and what information was compromised – they’re very vague….

  8. qka

    Yes, it’s a problem that this data fell into the wrong hands. And yes, procedure reviews are appropriate at this contractor.

    However, as Mr. Krebs reported, it was stolen from their office, not from the car of an employee or some other off-premises location. Big difference. Presumably the office was locked and possibly alarmed. So it is likely reasonable precautions were in place.

    If it was an inside job, that’s a whole different problem.

  9. d

    There should be a DOD policy that should have been implemented a long time ago. The procedures should have been updated to reflect current trends. For instance, I can track my iPhone, but there is no way they can track the laptop? The DOD should also establish a policy where some type of huge penalties is doled out to the contractor’s company and the individual contractor as well. During my reserve years, we constantly received Excel spreadsheets emailed to members that contained our addresses, SSNs, phone numbers, email and our mother’s maiden name. (No encryption, they just hid some columns with sensitive data!) My info was lost so many times I would have gained more by selling it to a cyber criminal for $5. The last time concerned my government-issued BOA credit card. The advice I received was about the same as Colonel Dahms provided.

    To those who left comments saying working in the modern world requires portable devices, this makes no sense when despite our best efforts to safeguard ourselves, some contractor loses our most sensitive information.

    1. MK

      If you read the article you’ll see that recovering the laptop really wouldn’t be of any consequence in this case.

      However in the larger point I agree. Rules for protecting sensitive data need to be standardized across the board with respect to government/private contractors (which will probably never happen).

      1. d

        Yeah, but my point is finding the laptop would help them find out what happened to the data. But, and I did read the article, its seems like this is an inside job. The person may have just thrown the CD away. Since he or she took three laptops, but only one had a CD with sensitive information on it, he or she probably never intended to grab any data, just the laptops. Hence, that’s why finding the laptop would be a good idea. And if the person was “smart enough” to get hired for the job, they had to know that stealing the CD should put some heat on the theft. Otherwise, it would just be a theft of three laptops at Serco.

        @Chez

        Obliviously, with this type of incident, the 2007 DoD policy isn’t really working too well! It’s sad when you serve your country and some contractor loses your information, not to mention the spouses and family members. Putting encryption aside for the moment, chain of custody should have also been observed. If you know a disc has that type of data on it, why leave it lying around in a laptop or out in the open?

        1. AlphaCentauri

          The monitoring programs to help you locate a stolen laptop might be practical for individual owners. But do you want to take home a laptop knowing your employer has the ability to see where you are and even take photographs of you while you are there? There is currently a brouhaha at a wealthy school district in the Philadelphia area where no one remembered to shut off the software after missing school-issued laptops were recovered, so the students given those computers were being photographed at home in their bedrooms every 15 minutes, day and night, for weeks.

    2. Chez

      There *is* a DoD policy in place already, been in place since 2007, requiring encryption of data on removable devices, including CDs and USB drives.
      There is also a policy in place requiring encryption of sensitive information on hard drives, and that policy extends to contractors. Somebody did not follow *established* policy.

    3. AlphaCentauri

      I’ve been notified a number of times that my data has been on a stolen laptop. In some cases, it’s not even clear how the organization in question even got my data in the first place, as I hadn’t ever deal with them directly. So there’s a lot of data sharing even without there being any theft or loss. And short of changing my social security number, I can’t ever assume my data is private again.

      Besides, every employer you’ve ever worked for has your data. (After all, that’s the only thing social security numbers were ever intended for.) You have no control over the employees they subsequently hire to manage it.

      Given that there is a huge percentage of the population whose personal data is already at large, why do we act as if it’s still an aberration? Just assume everyone’s information is already fully public. Stop treating a social security number like a signature. No one should be able to take out a credit card in my name just because they know my social security number. And no institution should be allowed to lower my credit score or raise my interest rates, just because I choose to put a “fraud alert” on my accounts to prevent unauthorized use of my data.

  10. Jeff

    The laptops were not located at a government facility. The contractor was negligent in this. The Government never should have allowed this data to be taken off Govenment property.

  11. Jeff

    The laptops were not located at a government facility. The contractor was negligent in this, but the Army Reserve never should have allowed this data to be taken off Govenment property. Also, all military issued laptops and desktops are encrypted, the contractor utilized the CD on their own laptop.

  12. JCitizen

    There are plenty of PC locator programs that act like LoJack for PCs. I can’t understand why institutions like this continue on like they have no wits at all.

    Cost shouldn’t be an issue, because recovering the damage done to service members is much greater. It is just incredible that here in 2010, the government still doesn’t have a clue about encryption or other security data measures.

    Even when I was a supply clerk in the Army 20 years ago, we treated personnel data like it was a golden arms shipment. We had almost as much security as when we moved the bomb!

    The only time the data was vulnerable is when one or two sheets of data were laying on the desk as part of a current work load, and those were turned face down, when switching to the next step. Then they were locked in an armored cabinet and that was bolted to a concrete floor.

    What happened to common sense?!

  13. george

    Honestly, I don’t think the problem would have been avoided if the data on the CD was encrypted. All encryption methods are vulnerable (to the very least to a brute force attack). Knowing the data contains names and Social Security numbers further reduces the entropy and consequently the effort to decrypt it by brute force. It might take take days or weeks with modern computers but remains quite achievable for a determined criminal group. I consider the data should not have been left physically secured servers in a Army’s Data Center. Access from outside should have been via a secured VPN connection to a read-only copy of the database. Was data needed in the field ?
    UMTS access over GSM network is possible for a 20 Euro flat fee from anywhere where is coverage. This might not be yet available everywhere in the US, like in Western Europe but alternatives exists (satellite phones, etc).

  14. Steve

    @Jane, yep, been there done that. It takes work, time and effort and money. Not as easy as just downloading Truecrypt, which was the OP suggestion to which I responded with “it ain’t that easy”. You validated my point by introducing the requirement for corporate infrastructure and/or policy for key mgmt etc.
    It is doable but not easy to do right, hence will be done reluctantly if at all. Far as I know the bank has made little progress on their implementation since I left, not much when I was there and pushing it.

  15. Dorothy

    That was so terrible.But i wish the data was backed up some where for a company like that at least it should have backups online for security reasons.Well my company has got its backups online with (SafeCopy) online backup.This online backup system is good because their prices are so effecitive because for 200GB of space,one only pays 50bucks a year and the company now backups up more than 2computers on one account and am so happy that safecopy has upgraded its free unlimited 3GB trial to 5GB this is so cool.

  16. Asset Recovery

    It’s a matter of conern that the army didn’t take the matter seriously enough to have current policies that might have been useful in preventing it in this case. The best way is to have IS audit and control done on the whole system.

  17. Bridget77

    I feel really bad for those 207,000 Army Reservists. I hope the governement pays for them to have identity theft protection. This is exactly why I use Lifelock. I LOVE them! This is my biggest fear, my company losing my personal data. You guys should check them out, if you don’t have ID protection.
    http://www.lifelock.com/landing/real/safe .

  18. Jahongir

    It seems, the government agency responsible for protecting the whole country is incapable of protecting a single laptop computer. If everything goes this lax, the US is doomed !

Comments are closed.