TSA Loses Hard Drive With Personnel Info

WrongSizeGlass writes "A portable hard drive containing personnel data for former and current employees, went missing from a controlled area at the TSA. From the article: 'The Transportation Security Administration has lost a computer hard drive containing Social Security numbers, bank data and payroll information for about 100,000 employees.'"

Encrypted ?

[messner_007]

There is no problems if the disc was encrypted ...

Re:Encrypted ?

[cp.tar]

All your files are belong to us?

Re:

[cp.tar]

I apologize.

As a non-native speaker, I obviously failed to comprehend the grammatical intricacies involved.

Re:

[tverbeek]

There is no problems if the disc was encrypted ...

...or formatted with HFS+. No one would ever think of mounting the drive on a Mac, and Windows will show the drive as "unformatted". :)

Re:

[rustalot42684]

What about ext3 or ReiserFS?

Re:

[8ball629]

I'm sure whoever stole it knows what it was mounted to previously.

Re:Encrypted ?

[Tuoqui]

Encryption is not undefeatable.

The entire idea behind encryption is to make it difficult/impossible to the casual hacker. If someone were dedicated to get into the information contained within however it would only be a matter of two variables... Time and Processing power.

Encryption is not a silver bullet to any and all security problems, it just mitigates some of the risk. If they cant crack the encryption within 20 years then most of the info would be useless by then. If they can do it in 3 months then its a problem...

One-time pad encryption is unbreakable

[davidwr]

I don't think you need unbreakable encryption for financial data, but for state secrets, a removable-drive one-time pad that is chained to the operator will do the trick.

For anything less than a state secret, you want something that only the most well-funded adversary can break in a reasonable length of time. You get to define "reasonable."

Re:

[inviolet]

The entire idea behind encryption is to make it difficult/impossible to the casual hacker. If someone were dedicated to get into the information contained within however it would only be a matter of two variables... Time and Processing power.

Brute-forcing is for chumps. (Well, assuming your average chump has a grid computer and a few years to spare). Real Men use social engineering to get secret keys.

The TSA has a notoriously shallow understanding of security, because they need to put on a demonstration

Re:

[lmnfrs]

The TSA has a notoriously shallow understanding of security, because they need to put on a demonstration of security that ordinary people -- who don't understand it either -- will find calming. So you just know that the TSA is plenty vulnerable to the "Hi I'm from IT" call to the receptionist.

What the TSA is notorious for is being astoundingly clever. The receptionist may be tricked into helping the social engineer, but will fail to realize that the key is 'SSSS'.

Re:

[failure-man]

The US government uses AES. Nobody's brute-forcing AES any time before quantum computers mature.

Re:

[Antique Geekmeister]

Would you care to lay a wager that far, far lower encryption standards are used as a matter of course by many federal groups, without even the knowledge of their users? The default setting for many UNIX installations and their password management for /etc/passwd and htpasswd are still DES, and your average Microsoft Certified Software Engineer who is hired straight out of school does not have the experience or pull to get that fixed, even when they do notice the problem.

Re:

[fourchannel]

I think those might be on sale at BestBuy...I got my quantum computer off of ebay.

Re:

[malcomvetter]

There is no problems if the disc was encrypted ...

Wrong. Encryption is only as good as the key. Or in practical cases, only as good as the password that protects the key. And in all likelihood (like most enterprises) they key is probably managed in such a way that dozens of people could have accessed it, especially if it was shared "enterprise" data.

Security people turn to crypto as the answer to everything. It isn't. Even cryptographer Bruce Schneier lamented that mistake in the opening of his b

Re:

[PPH]

Encryption is only as good as the key. Or in practical cases, only as good as the password that protects the key.

TSA default passphrase: "GetOsama".

Or maybe 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0.

Re:

[badspyro]

And encryption can't be broken?

The only decent type of encryption for Data In Transit that I know of is full hard drive encryption with something like Safeboot http://www.safeboot.com/ [safeboot.com] abd even they will admit readily that this isn't infallible and only protects the company LEGALLY.

The true question is why the hell was it on a laptop in the first place? Why not on a sever with remote access?

Re:

[account_deleted]

Comment removed based on user account deletion

Re: How many times does this have to happen

[Douglas Goodall]

I have read dozens of articles about large databases being carried off by unknown people on hard drives and laptops, and each time people ask why so much information was in such a portable form.

I am asking again. Why aren't there strict guidelines/laws about how personal data is kept. I know that medical people have a HIPPA (spelling may be wrong) guideline that is so strong that people are signing all the time that the have received information about how much medical practitioners care about personal data

Insightful? Try funny!

[hallux-s]

What can I say, both to the original story and to this particular comment?

Hmmm... Hahaahahahahahahahahha!

MOD parent up, Score: 5, FUNNY!

Oh, wait, you were serious?

Sorry.

~Hal

Re:

[fluch]

The important stuff was encrypted... Wasn't it? ... Dough!

Wait...

[JustinVanHorne]

A portable hard drive... is missing?

The agency said it did not know whether the device is still within headquarters or was stolen.

This doesn't make much sense. Why would you report a secuirty *breach* if you aren't even sure if it was stolen? It seems sort of bad-business like to worry someone right when something *might have* gone wrong.

Re:

[Anonymous Coward]

Are you stoned? Theyve lost control of important data that was supposed to be secure. Thats a security breach.

Re:

[wwphx]

Well, it's missing and important. Not unlike the missing hard drives at Los Alamos Nat'l Lab. It later turned out that their inventory was incorrect and the drives had been destroyed.

Re:

[Actually, I do RTFA]

Isn't it better to report all possible breaches, including false alarms, so things can be dealt with earlier (and cheaper)?

Re:

[doggo]

You think this is bad? Wait 'til these incompetents let someone nuke a city.

Its just another statement that if you....

[3seas]

... have a digital identification, and most everyone does, you have to be alert to possible wrongful use of it by others.

Considering all the past digital leaks, I got wonder who hasn't had information on them digitally leaked?

Re:

[Smallpond]

Q. Are Social Security Numbers re-assigned after a person dies?

A. No. We do not re-assign Social Security numbers [ssa.gov]. We have assigned more than 440 million Social Security numbers and each year we assign about 5.5 million new numbers. Even so, the current system will provide us with enough new numbers for several generations into the future.

Re:

[OriginalArlen]

This incident is a result primarily of poor physical security, firstly lack of controls preventing someone deliberately or accidentally moving it out of the secured area, and secondly the config of the data. If it's in an encrypted fs (Windows EFS or Linux loopback crypto fs or equivalent), which it should be, there's no problem with Dr Evil carrying it back to his volcano lair, even if he has a crack team of inwinceable cryptanalysts (is that a word?).

Where I work, all company data on a laptop goes into

Re:

[iminplaya]

Considering all the past digital leaks, I got wonder who hasn't had information on them digitally leaked?

Goes to show, not having any credit or a bank account has its advantages. My position amongst the dregs of society looks sweeter all the time while the rest of you fight amongst yourselves trying to get more and more and to keep what you have. The entertainment value is priceless.

Captain Obvious says :

[witte]

Maybe using Social Security numbers for just about everything isn't such a good idea.

The problem isn't using the SSNs

[MarkByers]

Using Social Security Numbers for everything isn't such a bad idea. It is a convenient way to identify someone, since it is guaranteed to be unique. The problem comes when the SSN is the only piece of information you need to take control over someone's life. There should be some more basic checks put in place to ensure the person is who they claim to be. An example could be mailing the person at their last known address and asking them to send a letter back with an authorised signature on a document that explains what is about to happen. When these basic checks are missing, it is no wonder it is so easy to steal another person's identity.

Re:

[The MAZZTer]

I agree; but an interesting caveat is that the gov't reuses old SSNs eventually after the owner dies, so if you keep records long enough and if you have enough of them eventually you might end up with a duplicate key...

Re:

[wwwojtek]

an interesting caveat is that the gov't reuses old SSNs eventually after the owner dies
care to provide a reference to it? Is it just that we'll eventually run out of numbers so they have to be reused or have the numbers been actually re-used already?

Re:

[smittyoneeach]

I forget the reference, but I heard that when they move from SSNv4 to SSNv6 that there will be enough numbers for everything on the planet, and stuff.

Re:

[Fulcrum of Evil]

They don't actually reuse numbers - this is policy. What has happened is that people have been issued the same number, and illegals have used others' numbers for various purposes, making identification problematic. Combine this with the twin problem (lots of insurance companies aren't set up to handle twin births properly, so they fake it with a shifted birthdate) and SSN really isn't the universal key you were looking for.

Re:

[mikiN]

"These aren't the 'droids you're looking for.
You see, both are registered as ARN#624-926-536624"

"But that spells OBI-WAN-KENOBI, doesn't it?"

"Yeah, but Central Registration Authority never gives out the same number twice!"

"So the registration must be bogus then. Very well, move along..."

Re:

[toddestan]

They don't actually reuse numbers - this is policy.

Well, they may have to rethink their policy in a couple of decades. As it stands, social security numbers have nine digits, which means there are only a billion unique numbers. Given a current population of about 300 million, I would guess that about 1/3 of them have been used already.

Re:

[witte]

I agree that it's easier than having a separate ID for everything, but the privacy and security issues by using a potentially exposable key are not trivial. If you pay taxes for a public service, you would at least want it to be secure enough so some Joe Shmuck can't impersonate as you and go shopping on your credit.

It would be more secure to use a common identifier that is only known inside the systems that need to use/share personal data. Something like a technical primary key, only people with sufficient

supposed to be unique, not always

[davidwr]

SS#s are supposed to be unique. They aren't recycled.

Every now and then you find out about a SS# that is not unique. The SS office issues new number to one or both individuals and mea culpas all around. See this news story [whnt.com] for one example.

Re:

[Keruo]

> The problem comes when the SSN is the only piece of information you need to take control over someone's life. There should be some more basic checks put in place to ensure the person is who they claim to be.

I cannot think of any way to take any control of someones life just by knowing someones SSN.
You can't sell properity, take a loan or apply for a credit card without showing valid photo ID.

You can't order another photo ID with your picture either, since the bureau who grants valid IDs has the origina

Re:

[Chmcginn]

It's rarely difficult to find a person (in the US) who can forge a photo ID. There was three people I knew in college with who made fairly convincing fakes of out-of-state driver's licenses in their spare time. This is part of the reason for the 'Real ID' act.

Re:

[profplump]

Or maybe if there were some way that you could execute a legal document and have some agent or officer of the government authenticate your identity and acceptance of the document in-person. That would be handy.

http://en.wikipedia.org/wiki/Notary_public [wikipedia.org]

Re:

[cellocgw]

Using Social Security Numbers for everything isn't such a bad idea. It is a convenient way to identify someone, since it is guaranteed to be unique.
It may be unique, but it is most definitely NOT an identifier. Everyone over the age of about 45 (I forget the exact year) got a SSN by asking for it. The original intent of the Social Security Card was to let you and your employer (and Uncle Sam) track your earnings and taxes on said earnings. There was no proof of identity involved. I could have created a

Re:

[backbyter]

I used to have 2 different numbers. Same information used on the application. The difference? One was applied for while I lived in Japan (American Samoa prefix), the other while I lived in New Mexico (NM prefix).

When I went into the military, I used the NM prefix and have ever since.

And in the UK today too

[AmIAnAi]

A BBC article [bbc.co.uk] disclosed that a laptop had been stolen that contained Marks & Spencer employee details

From the BBC article:

Salary details, addresses, dates of birth, national insurance and phone numbers were on the machine which was stolen from a printing firm.

It is now too easy for huge quantities of private data to be carried around on laptops and memory sticks, often by people who do not understand the consequnces of failing to protect that data. Companies need to be held to account when data is lost.

But check out who does their background checks!

[sgt_doom]

Given that the firm, Blackwater USA [alternet.org], is responsible for performing the security background checks on TSA employees (I believe there was a news article several months back where four recently hired employees in the Seattle-Tacoma area were convicted - and jailed - for pilfering luggage - another fine Blackwater USA [thenation.com] mission accomplished!), any compromised data is pretty much a moot point......

Physical Security

[Detritus]

Even if you have decent physical security, some items will attract thieves. Anything shiny and portable is likely to walk out the door. A portable disk drive is a good example of a thief magnet.

Technology is amazing

[strcpy(NULL,...]

Now we have portable thief magnets? Nobody would believe it ten years ago.

Re:

[Ruie]

A portable disk drive is a good example of a thief magnet.

Well, if the thief had a magnet the data is now secure...

Re:

[innocent_white_lamb]

You know, that's not entirely out of the question. This guy [landfield.com] stole a hard drive with personal information on it for his "personal use at home". (The referenced article doesn't say that, but I remember reading the results of the investigation and court case in the paper at that time.) He didn't want the data on it at all, just the hardware.

Ha! Ha!

[mobby_6kl]

Now they'll experience how it feels to be on the receiving end of violation of privacy!

Re:

[TheMeuge]

Maybe next time they'll lose the hard drive with the war-protester-based no-fly lists, and it'll turn out to be the only copy...

Portable HDD?

[bulliver]

There's your problem. I can see the allure of using a portable drive, in that you can easily move the data around from computer to computer, but really, we have a better way to move the data: The bloody network! That HDD should have been screwed into a locked case mounted in a rack bolted to the floor of a securely locked room.

Re:

[Original Replica]

That would imply that the people there at the Transportation Security Administration had some sort of clue about how to make things secure... when they were easily transported ...

Re:

[florescent_beige]

There is a pretty good reason to carry data around on a removable drive. It's cheap bandwidth.

I know this because we used to do streaming backups to an offsite location (one of the guys' houses (we are a (very) small business)). The DSL we used had a download speed on his end of about 1Mb/s. That is .125MB/s. Carrying a 120GB drive home every night, assuming the drive is one hour, has a bandwidth of 34MB/s or about the speed of a T4 line. It's also essentially free because the amortized cost of the drive

Re:

[RogerWilco]

In radio astronomy we have the saying "Don't underestimate the bandwith of a truck of data tapes barreling down the highway". Having half a Petabyte of more storage in the back of your car, you can achieve rather high bandwidths.

Re:

[treeves]

Something tells me whoever had this drive didn't have it because they NEEDED to transfer 120GB of data and the HD was a good way to do it.

Re:

[Antique Geekmeister]

Given the availability and use of 40 GB Ipod devices, and USB devices like these (http://gadgets.fosfor.se/the-top-10-weirdest-usb- drives-ever/), it's difficult to avoid. And you don't dare remove USB ports altogether since employees do need good USB audio and graphical devices to do their work.

Re:

[speculatrix]

huh? why does the average business computer need audio, and what "good graphical device" relies on USB?

at work, a division of a large bank, they want to disable USB altogether. Snag is that there are many legacy free PCs and so need USB for keyboard and mouse, so now they're going to be breaking the OS's device drivers to disable USB mass storage.

snag is we also have a lot of linux desktops, so we will all lose local root access so they can remove kernel modules for usb mass storage if possible.

yes,

Put Management's Data In The Databases

[NeverVotedBush]

Why does it take a data breach happening to some organization to get them to decide to protect information?

Maybe a law should be made that any organization that is trusted with public data be forced to imbed all of their CEO's, CFO's, other officers, management, and shareholder's data in the same databases.

I know that the reason all this data keeps getting exposed is because management would rather save money instead of training their IT staff (if they need it) or just giving them the time to implement good, safe, data handling practices. Put their data on the line too and let's see how they decide about safe data handling practices.

More security

[blhack]

I'm still waiting for the day when full drive encryption becomes standard. You power the machine on, input a password (or insert a USB key and input a password) and the machine then continues normally. While this might not stop completely determined information thieves, it should put an end to drives full of personal info showing up on ebay. What would be even better is if it became required practice for anyone working with sensitive data like that.

Re:

[Tuoqui]

Still does not matter unless they encrypt the line between your keyboard and the computer. Thieves and Attackers will always go for the weakest link. This is why keyloggers are likely gaining in popularity.

Peter O'Donnell nailed this years ago.

[sehlat]

In one of his Modesty Blaise novels, Miss Blaise remarks to the head of a British security agency that:

"Security agencies are always too busy watching everyone else to watch themselves. How long has it been since you changed your locks or checked on your guards?"

1st rule of TSA

[gelfling]

No one talks about TSA. I'm sure even mentioning that this has happened is a violation of some stupid Federal law and the terrorists have already won.

some people never learn

[Isaac-Lew]

Why would this information even on a portable drive? And why would it not be encrypted?

This is why I try not to use my Social Security number for identification purposes anymore. I really should try to figure out who has it & what I can do to reduce the use of it.

Re:

[manif3st]

The past few days alone have exhibited an increase in this sort of problem exactly (re: encryption). Why large companies aren't using encryption as a standard is something that needs to be answered. Consider the eBay case [bbc.co.uk] where on the 4 May 2007:

Sensitive case notes on vulnerable children in Essex have been found on a computer sold on eBay's auction site.

and the NHS case [bbc.co.uk] where on the 2 May 2007:

About 10,000 health workers in Cornwall have been warned that they could be the victims of fraud after their bank details were stolen.

The latter being more prevalent in my opinion as a critique of the NHS computer systems is revealed [bbc.co.uk] only weeks (16 April 2007) before the breach.

Let's not forget the Los Alamos hard drive scandal, and the countless do

This bears repeating

[lawpoop]

Wayne Madsen is maintaining a chart [waynemadsenreport.com] of data thefts of personal information. He lists 3 or 4 dozens thefts. He believes these thefts are an attempt to populate the Total Information Awareness [wikipedia.org] databases.

Never ascribe to incompetence what can be explained by malice, I guess.

Re:

[flyingfsck]

TIA can probably be populated very easily from second-hand drives bought on Ebay.

The sad thing is that ALL modern drives have an effective erase capability built in:
http://cmrr.ucsd.edu/Hughes/SecureErase.html [ucsd.edu]
but few people know that and fewer still use it before disposing of a drive.

Re:

[sgt_doom]

While Mr. Madsen presents one possible, and likely, scenario, it is important to realize that with the advent of the Bushevik administration there are now something like 61 commercial databases currently under government contract and online - constantly being accessed by the TIA organization: everything from ChoicePoint (sometime take a look at their current and previous directors) to OnStar with First Data volunteering their databases.....

This Wayne Madsen?

[commodoresloat]

You mean this guy [fromthewilderness.com]? He may be on to something, or it could just be another of his loony theories.

Re:

[smccurry]

If that was the case, they'd be better off copying the data and putting it back before it was noticed as missing.
 
If someone just wanted the data, they put themselves in more jeopardy by making it obvious something was taken. Now they have to worry about security camera review, fingerprinting, etc.

open it up

[McGiraf]

Information wants to be free! If everything was public data we wouldn't have these problems; also, we can get rid of all criminal activities if we abolish every law!

Seriously, with the shear amount of data that is accumulated everywhere, and how densely we can store it, well this is going to happen more and more.

Re:

[justinlee37]

we can get rid of all criminal activities if we abolish every law!

Well, technically speaking, you are correct ...

What we need..

[Sloppy]

..is some TLA government organization to take care of TSA's security, so they won't have to deal with that subject, and can dedicate themselves to harassing people.

Why was this on a portable HD in the first place?

[wwphx]

I've been in gov't IT for 15 years, this should never have left the server farm. If it had to be on a portable device, it should have been a laptop and heavily encrypted, not that I can see a good reason to give anyone that info. The retirement planning people can make do with very little info.

Re:Why was this on a portable HD in the first plac

[epp_b]

I've been in gov't IT for 15 years, ...

I guess we'll consider this an official infiltration!

Gov't infiltration?

[wwphx]

I'm sure people at the Fed level have been reading /. for as long as it's been up. I've been on since we first got the web in the early 90's. I've only been at the state and city level, never the fed level.

As a network and database admin, I've found it to be pretty darn important. I first read about I Love You at 7am at work when it sprang, told our security admin who doesn't read /. (or at least he didn't at that time) and he went and yanked the outside connection to our firewall. It did hit us, but ve

What's really alarming..

[Pointy_Hair]

is that they had around 100,000 employees to lose data on. That's a lot of shoe checkers!

Update!

[alisson]

From the TSA:

JK, no biggie, guys! We just got it as an .pdf attachment from some nice citizen at "i.r.t3h.l33t.haxxr.@hotmail.com!" It also has a cool .exe file, which he assures me is a some security software to keep or data safe! I've installed it on all computers containing sensitive information, so no worries :)

It's astounding..

[mikkelm]

.. how government organisations continue to to store HUGE amounts of CRITICAL and VERY PRIVATE data on LAPTOPS. Either they have idiot software developers, or they genuinely do not care about security at all.

It's sad when the developers are the biggest security hole in critical government software.

Re:

[PPH]

Its not developers. Its IT department policies. Or, in some cases, its the PHB who tells the IT department that he's going on vacation and needs a copy of some data to work on while sitting on the beach, data security policies be damned.

Re:

[mikkelm]

Any system that could leave hundreds of thousands of private records anywhere but in a centralised and secured database seems pretty bad to me. Luckily anything else is against the law where I'm from.

Disk Encryption

[Johnny Mnemonic]

Where I work, employee laptops are required to make use of File Vault on the Mac, and I believe that the entire HD is encrypted if you chose a windows laptop instead. I'm not sure of the Linux option, but I believe that there is one.

In light of that, why isn't that kind of policy used everywhere? Doesn't it just make good sense?

The TSA shouldn't even be able to claim that this was a legacy laptop, as frankly their agency hasn't been around that long. I don't get it.

Re:

[tomstdenis]

or not wander around with an HD with sensitive data on it? That's just mental. That data should be housed only in a secure facility with only remote secure access to it.

It's plain stupidity and lazyness that compels people to defy the simplest rules of security.

Tom

Re:

[gujo-odori]

Required where I work too, at least for anyone with access to the code, probably for anyone else, too. In addition, they give you a laptop lock so that if you're going to leave it in the office, you can shackle it to your cubicle.

Beyond the lack of crypto on the drive, I'm just left wondering WTF someone had placed all that information on an *external* drive in the first place. That was stupid, and to then go on to leave it sitting out somewhere and not under lock and key boggles the mind.

Backup?

[epp_b]

What, no backup? [slashdot.org]

Get use to it!

[Z33kPhr3k]

This happens every day.

Check out http://www.privacyrights.org/ar/ChronDataBreaches. htm [privacyrights.org].

You can't make this stuff up, folks

[Master of Transhuman]

I'm waiting for the news story that says the Department of Homeland Security just lost a hard drive with the personal information of every Federal agent in the government and all the White House security information on it.

These people are morons. Their sole purpose in life is to screw up while pushing other people around with self-righteous notions that THEY are the ones "protecting" everybody else.

It's the "cop mentality" writ large - which is the same basic mentality as a Mafia protection racket.

Re:

[justinlee37]

The TSA probably doesn't run as tight of a ship as our intelligence agencies do.

Re:

[chill]

If that does happen -- and hasn't already -- you will NEVER see a story on it. The reporter that runs that will find every lead, every contact and every story from the gov't sector totally dry up. Press credentials would be revoked and they'd probably get a "random" audit from the IRS, along with the census fill-it-all-out-or-go-to-prison long form. They'd be lucky if they could get a local dog catcher to talk to them.

O no...

[tsa]

Drat, where DID I leave the damn thing?

The untold story

[sjames]

Apparently the screeners were distracted when someone tried to enter the area with a photo of a shampoo bottle and so they didn't notice the theft. According to the DHS, the photo was probably inserted into the shampoo ad by an al-Queda operative.

The TSA, eh?

[Kamineko]

If it were the TSA [wikipedia.org], they can just go back in time and find out what happened to it. No biggie.

An idea who's time has come...

[hallux-s]

Here's an idea I've been kicking around for a little while...

Supposition 1: Personal data is a commodity because it's unique to the individual it regards.

Supposition 2: Personal data must be safeguarded because people use it to demonstrate that they are whom they claim to be, that is, to identify people uniquely, to facilitate transactions which either immediately, or ultimately involve the exchange of money, goods, or services, etc.

Conclusion: Personal data is desirable to people who should not have it, fo

Maybe TSA employees stole it?

[Wolfier]

Given reports that TSA employees steal travellers' items, I wouldn't be surprised the hard drive was stolen by insiders, seriously.