Tuesday, May 23, 2006
previous entry | main | next entry | TrackBack (0)
My question about the stolen veterans' data
I'm still trying to wrap my head around one aspect of this story regarding the apparent theft of 26.5 million military veterans' personal data (names, social security numbers, and birthdates). According to the New York Times, "[The data] was stolen from the residence of a Department of Veterans Affairs employee who had taken the data home without authorization, the agency said Monday." Let's assume there was authorization -- what possible reason would a DVA employee have to take home that kind of data? This sort of episode does raise some intriguing questions about supporters of national ID cards or other central registries -- to what extent does the possibility of data piracy negate whatever security gains would be generated by such ideas? UPDATE: The VA didn't alert the FBI about the stolen data for two friggin' weeks??!!! What did they think -- it would just show up after looking under the couch cushions? posted by Dan on 05.23.06 at 11:46 AMComments: This sort of episode does raise some intriguing questions about supporters of national ID cards or other central registries -- to what extent does the possibility of data piracy negate whatever security gains would be generated by such ideas? Ah, what it shows we already have a de facto national ID card. There was a time, about 30 years ago or more, when your military ID number was different than your social , but they have been the same number for at least three decades. You need the SSN to serve in the Armed Forces (and presumably to register with Selective Service, I forget). You need the number to apply for credit cards, loans, student aid, a job, just about everything. So why don't we embed that number on a card that will be difficult to counterfit (and will hold up better over time)? Is it because powerful factions want the SSN card to be easily forged? Or am I paranoid? posted by: Mitchell Young on 05.23.06 at 11:46 AM [permalink]Paranoid posted by: Racer X, Speed Racer's (unbeknownst to him) brother on 05.23.06 at 11:46 AM [permalink]what possible reason would a DVA employee have to take home that kind of data? Maybe the person took his/her laptop home to do so work and the laptop got stolen. I would have thought any employee who needs to access sensitive info would have kept it on a server at work and accessed it via a VPN thereby preventing the data from residing on the local drive. Poor schmuck, was at the wrong place at the wrong time. posted by: Krishnan on 05.23.06 at 11:46 AM [permalink]A database containing even that minimal identifying information for 26.5 million people would be fairly large. Assuming 200 characters of information per person, that's a 5.3 gigabyte file, many times what you could fit on a single CD-ROM and even more than what could fit on a DVD-ROM. That suggests (per Krishnan) a stolen laptop. posted by: alkali on 05.23.06 at 11:46 AM [permalink]Possible reasons would include wanting to run some analyses based on the data in a database--say, for example, Excel analyses on an Access database, which is what I'm familiar with. I've had to do some of that, and it's not really something I would want to try to do remotely, given the size of the file and the processing required. Quite frankly, I wouldn't want to do it on a laptop at all, given the processing required, but I imagine it would only be worse over a VPN. posted by: NK on 05.23.06 at 11:46 AM [permalink]There is very little you could do with Excel on a database that size. Any practical processing would be done on a server running a "real" database such as Oracle or whatever. The poor shmuck would have had SQLPLUS or a graphical query tool available that crunches the data on the server and only transmits results over the network. In other words, the schmuck was also a putz. And his boss was a schlemiel for not having procedures that preventing this. posted by: computer geek on 05.23.06 at 11:46 AM [permalink]As luck would have it, my lunch break CSPAN viewing had a House committee debating national-ID ... for livestock. posted by: Mitchell Young on 05.23.06 at 11:46 AM [permalink]Contrary to what "computer geek" claims, laptops are sufficiently powerful for data analysis of that nature, though he's correct in that Excel generally won't be the tool used. I have in the past, however, cloned several gigabytes of print accounting SQL data to a laptop (Postgresql both on server and laptop) so I could play with some analysis code without having to do anything that might tamper with the live accounting system. The laptop in question wasn't all that much slower than the server in crunching the data. I have no idea what the DVA employee's role was, but there are lots of reasons to take data related to an interesting or difficult problem home to pound on over a weekend. The only immediately recognizable error is in removing sensitive data from a secure environment. As to having procedures preventing this... other than better training, what exactly would you suggest? If the analyst required raw access to the data for whatever reason (e.g. because he's writing new code), then he can move that raw data to any other machine he has access to. Any technological measure to prevent this would also in that case prevent him from doing his job. My utterly uninformed guess is that his managers made the mistake of not making it clear what data was considered sensitive and not to be moved out of secure areas, the tech decided to put in some extra hours at home working on a problem, and had a spate of unnaturally bad luck. If that's the case, I hope they fix the training issue without scapegoating the tech. posted by: Zed Pobre on 05.23.06 at 11:46 AM [permalink]The data might have been only 80 characters per individual or even less. 80 characters if it was a legacy file, designed back in the days of punch cards. My guess (having committed a similar error myself way back when) is the person is an IT type making the mistake of using live data as a test data set. That's more probable than a VA bureaucrat having to do production processing against such a data set. As for data piracy, it's not a major problem in a properly designed system. You put in checks and balances, audit trails, and divided esponsibilities. Of course, you have to protect the system against the system builders and invest the resources to create test data that's not real. And there's always a way to get around safeguards (read David Baldacci's "The Camel Club" for example). But I tend to think we'd do better by putting all our eggs in one basket and watching the basket than having them spread out. posted by: Bill Harshaw on 05.23.06 at 11:46 AM [permalink]> Any practical processing would be done on a Oracle can be installed on a laptop. Tom Kyte (http://asktom.oracle.com), VP of Technology at Oracle, runs 5 or 6 versions of Oracle, using both Linux and Windows, under VMWare on his laptop. However, I would think it was more likely the data was in transit from one place to another (for a meeting or something) and a laptop was stolen. Cranky posted by: Cranky Observer on 05.23.06 at 11:46 AM [permalink]> The only immediately recognizable Having worked quite a bit in data security, I am sadly coming around to Eric Schmidt's theory: there is no such thing as data privacy, and very little in the way of data security either. It is too easy to transport data, and the incentives to do it are much higher than the everyday penalties ("have that report on my desk by 7 AM or you're fired!") that might accrue if the extractor is caught. I wouldn't be surprised if all my credit card, bank account, etc data wasn't stored on someone's laptop at each entity I do business with. Cranky posted by: Cranky Observer on 05.23.06 at 11:46 AM [permalink]
There are several methods available to prevent this. In the first place, if he was writing new code, he should not have had access to the live data at all. Code development should be separate from operations. And if it contained such sensitive information, the subset of people who could access it should be even more restricted. t. Even more so, SQL access to the database should be restricted. If you want to do crunching on it, make a copy with anonymized identification and personal data and people can pound on that to their heart's conten. There are business tools that can extract summary and reporting data too. Of course, everything relies on some trusted person -- maybe the DBA or the Sys Admin. But those people should have no need to crunch this data in the first place, let alone take it home. If I were the CEO of such a company, I would fire the CIO the moment the current crisis is over. posted by: erg on 05.23.06 at 11:46 AM [permalink]Cranky and Zed, A very similar thing happened this past winter with a major health insurer here in Oregon. Providence Health Care had a policy where all of their data was backed up & stored in a van. For "security purposes", a different employee was responsible each night for taking the van home in case anything happened to the physical building. On New Year's Eve, someone broke into the van and stole 400,000 records with social security & health status information. I was stunned that this was considered a viable security procedure, and I wonder if, despite the "without authorization" bit, a similar thing may have happened with this situation. posted by: sarah r on 05.23.06 at 11:46 AM [permalink]> I was stunned that this was considered a That is a very standard backup procedure for small(er) non-public companies, and sometimes those companies fail to recognize when the point arrives where it is no longer an appropriate method. Cranky posted by: Cranky Observer on 05.23.06 at 11:46 AM [permalink]There are a number of statistics packages out there (e.g. SAS) that will happily digest a raw file of many million records. These run just fine on laptops. (Just to expand the possible reasons why the data was on a laptop at all.) However, I'm amazed that the data wasn't encrypted. There are products that maintain all data on the hard disk in an encrypted state, transparently decrypting and re-encrypting on the fly when the proper key (which is erased when the laptop is shut down) has been set. On a modern processor the performance hit from doing this isn't at all bad. (Apple supports this scheme out of the box.) The same solution applies to offsite backups. It's not a panacea, and key management can sometimes be a bit of a chore, but I'm surprised it isn't used more widely. posted by: modus potus on 05.23.06 at 11:46 AM [permalink]As someone affected by this breach of security, I have some thoughts on the situation. I agree that that the level of security training is unacceptably low. The answer is to make so bloody an example of both employee involved, his supervisor at the very least, and if policies where inadequate to prevent this disaster, the person responsible for formulating policy, so severe a penalty that the entire agency is shocked and horrified. I suggest so thoroughly publicizing the names of all responsible that they are never able to find work in this field again, absolute destruction of their professional reputations - a penalty commensurate with what would happen to a military member who committed a similar breach of security. Since this agency serves veterans, anything less would be inequitable.
Mitchell Young is not paranoid; of course there are people want SSNs readily available for forgery, and they have enough money to give them some degree of influence. Document fraud is a huge industry in this country, and alien smuggling is becoming a valuable part of drug cartels' business on the SWB, one that may eventually eclipse drug smuggling itself, as has already happened in Europe. Illegal aliens are a major market. Would you like price quotes? There's no reason why the employee should have had that data. His or her work simply could not justify taking home the entire repository. There is just no good justification for why they couldn't VPN into the agency network or do remote login to the database server as a user with limited privileges. What this shows you about the supporters of a national ID card is that they are part of the "reality-divorced community." In the real world, government and corporate database security is all too often terrible. Do you want someone with a single ID card that is the key to accessing vast volumes of information about you? posted by: MikeT on 05.23.06 at 11:46 AM [permalink]Zed, Ever try running Oracle 10g **express** on a system with less than 1GB of RAM? I don't recommend it. The odds that the VA uses anything other than Oracle or Sybase are slim to none. The federal government uses both of those extensively. Oracle 9i or 10g are not the sort of thing that you run on a typical development machine. The express version of 10g, IIRC, can only handle up to 1GB of database data anyway. Could he run Oracle or something equally big on a good laptop? Sure, but what are the odds that he had an up-to-date laptop that costs a few thousand dollars? PostgreSQL and MySQL could run just fine, but Oracle is way too much of a beast to casually run on anything other than a GOOD development laptop and I'd be surprised to see the government splurge on such a thing. posted by: MikeT on 05.23.06 at 11:46 AM [permalink]Dr. Hemlock is also likely one of those victimized by this incident. After 20 years in the military, I can't think of a single reason for this individual to have the data at home. You don't take work home in the government -- not work like this, that involves Privacy Act issues. There is a stupefyingly large number of regulations that govern use, management, and abuse of data -- not a one says "take this home over the weekend if you want." And forgive me for being cynical, but mid-career civil servants don't take work home at all -- that's why it's called "government work." There's more here than meets the eye. posted by: Hemlock for Gadflies on 05.23.06 at 11:46 AM [permalink]This is exactly why I don't trust the NSA's domestic surveillance programs -- any of them. The more information we give the government, the more likely it is to leak out to god knows who -- corrupt government officials from either party, criminals, wackos, spammers/private companies, foreign governments. posted by: Christopher Fahey on 05.23.06 at 11:46 AM [permalink]A home invasion burglary is such a waste of time, especially of a civil servants home. What do you get? A laptop? Some fake pearls? An expresso machine? And what are the chances the local burglar is going to turn on Windows and start poking through the excel files? He'd probably immediately sell it to the local computer guy, who is going to turn it into parts anyway, especially if it says "Veterans Dept." And he immediately reboots it and destroys all the data anyway, or throws out the disk in the disk drive. If I was this analyst, no way I would have admitted to any such stupidity. posted by: amus on 05.23.06 at 11:46 AM [permalink]Amus, if you were this analyst no way would you have committed that stupidity in the first place. So it could possibly be for real. My paranoia, learned by long experience, says there may be more to it than that. But who would benefit by releasing this story to the media? I have no candidates. IMHO, this is another data point in favor of the theory that we've got to radically change our laws and ways of doing business. For almost all Americans, your personal data will be directly given to dozens of first parties in your life. Each of those dozens will pass it on to several (or several dozen) second parties, who will exchange it with other second parties, and sell it both back to 'first parties' (those with whom you deal directly), and forward to third parties, whom you have no clue about. In each of these parties, there are several ways for the data to be stolen - carelessness, a corrupt employee, businesses set up to as false-front data purchasers, just to name those that I can recall from recent events.
If credit cards worked the same way, that industry would have collapsed years ago. Sooner or later (probably sooner)somebody would take your card info and run several thousand dollars of purchase. You would be responsible for this, and would spend the next year or two paying that off. After cancelling all of your cards, because having that happen again would bankrupt you.
How about "senior political appointee" at the department ? I can well see them being eager beavers and working on weekends. And being careless with procedures since they're new . posted by: erg on 05.23.06 at 11:46 AM [permalink]erg: in my experience with political appointees, they are even less likely to take work home on the weekend than tenured civil servants. These are sinecures. My God -- we veterans can barely get an appointment at VA, let alone speak to someone in authority. As the Senator from South Carolina said of FEMA, the VA bureaucracy is staffed by the "sorriest bunch of jackasses in government." posted by: Hemlock for Gadflies on 05.23.06 at 11:46 AM [permalink]@dan: UPDATE: The VA didn't alert the FBI about the stolen data for two friggin' weeks??!!! What did they think -- it would just show up after looking under the couch cushions? there may be others, but california is the only state I know requires such security breaches to be reported at all, e.g. if your credit card data are stolen. what incentive did the VA have to report the breach? the only way to get improved data and transaction security is for there to be financial consequences for the system owners. if a credit card company was required to issue new cards and new numbers to all affected account holders immediately upon discovery of a breach, in addition to having to acknowledge the theft publicly, then you would not see so many thefts allowed by poor security. sure, today you can ask for a new card and new number, but if they don't notify you that you are at risk what good is the privilege? and yes, the bank will end up eating the charges, but it won't eat the indirect damages (e.g. your credit card is shut off while you are in russia on business and you end up in jail because you don't speak russian). note also the terms are different for stolen debit cards...you probably are liable up to the total contents of the account. in re national ID: thanks to ignorance and the laziness of database administrators we are near it today as far as the ID string itself, the SSN. try getting an account at your local video store without giving yours. I've been turned down for refusing to give it ("oh, the computer requires it..."), and the clerks are impervious arguments about legality. it's that old "well, if you don't have anything to hide..." argument. posted by: supersaurus on 05.23.06 at 11:46 AM [permalink]computer geek writes: " I said that Excel is not the appropriate tool and that the putz's boss should have had procedures in place to prevent this. I think we're all in agreement." Excel could be a handy quick-n-dirty UI for playing with data on a local Oracle server. If the data was simple enough, and not set up as a relational database, it could have been in flat files. posted by: Jon H on 05.23.06 at 11:46 AM [permalink]Folks, we need to wake up. Review all the information provided in the initial news stories... it is sooo vague and fully resembles a fabricated story. This is just the latest edition in a string of events artificially created to move us toward acceptance of identity chips, etc. The day I heard this story it was obvious to me... especially the widespread story that the perpetrator wouldn't even know what he had, etc. There was no employee... no one is getting fired. Vague details are needed for cover-ups and fabricated stories like this. Not plausible that this scenario occurred!!! posted by: Ruth B on 05.23.06 at 11:46 AM [permalink]This employee had a "work from home agreement" and had been working at home and on this data since 2003. His supervisor not only knew he was working from home but knew what he was working on. While everyone wants to attack this employee, he was doing what he has been doing for many years and a bad thing happened. Do I agree, as a VA employee, that he should have this kind of data unsecured? Absolutely not. But let's be clear, he wasn't a bad person, he was acting within the boundaries had been established, and a bad thing happened. Trust me, VA was all too happy to get the extra hours of work out of him. What I find interesting is after this story broke, I have received no less than 50 phone calls from concerned veterans leaving messages on my voice mail complete with their full names, full social security numbers and date of birth. Now THAT'S stupid!! So while the loss of this data is indeed tragic, people need to be smart about protecting their own information and not willingly leaving it on an answering machine. posted by: chatty cathy on 05.23.06 at 11:46 AM [permalink]Post a Comment: |
|