TSA Loses Hard Drive With Personnel Info 123
WrongSizeGlass writes "A portable hard drive containing personnel data for former and current employees, went missing from a controlled area at the TSA.
From the article: 'The Transportation Security Administration has lost a computer hard drive containing Social Security numbers, bank data and payroll information for about 100,000 employees.'"
Encrypted ? (Score:3, Insightful)
Re:Encrypted ? (Score:4, Funny)
All your files are belong to us?
Re: (Score:2)
I apologize.
As a non-native speaker, I obviously failed to comprehend the grammatical intricacies involved.
Re: (Score:3, Interesting)
Re: (Score:1)
Re: (Score:2, Insightful)
Re:Encrypted ? (Score:4, Insightful)
The entire idea behind encryption is to make it difficult/impossible to the casual hacker. If someone were dedicated to get into the information contained within however it would only be a matter of two variables... Time and Processing power.
Encryption is not a silver bullet to any and all security problems, it just mitigates some of the risk. If they cant crack the encryption within 20 years then most of the info would be useless by then. If they can do it in 3 months then its a problem...
One-time pad encryption is unbreakable (Score:2, Interesting)
For anything less than a state secret, you want something that only the most well-funded adversary can break in a reasonable length of time. You get to define "reasonable."
Re: (Score:3, Insightful)
Brute-forcing is for chumps. (Well, assuming your average chump has a grid computer and a few years to spare). Real Men use social engineering to get secret keys.
The TSA has a notoriously shallow understanding of security, because they need to put on a demonstration
Re: (Score:1)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:3, Interesting)
Wrong. Encryption is only as good as the key. Or in practical cases, only as good as the password that protects the key. And in all likelihood (like most enterprises) they key is probably managed in such a way that dozens of people could have accessed it, especially if it was shared "enterprise" data.
Security people turn to crypto as the answer to everything. It isn't. Even cryptographer Bruce Schneier lamented that mistake in the opening of his b
Re: (Score:1)
TSA default passphrase: "GetOsama".
Or maybe 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0.
Re: (Score:1)
The only decent type of encryption for Data In Transit that I know of is full hard drive encryption with something like Safeboot http://www.safeboot.com/ [safeboot.com] abd even they will admit readily that this isn't infallible and only protects the company LEGALLY.
The true question is why the hell was it on a laptop in the first place? Why not on a sever with remote access?
Re: (Score:1)
Re: How many times does this have to happen (Score:1)
I am asking again. Why aren't there strict guidelines/laws about how personal data is kept. I know that medical people have a HIPPA (spelling may be wrong) guideline that is so strong that people are signing all the time that the have received information about how much medical practitioners care about personal data
Insightful? Try funny! (Score:1)
Hmmm... Hahaahahahahahahahahha!
MOD parent up, Score: 5, FUNNY!
Oh, wait, you were serious?
Sorry.
~Hal
Re: (Score:1)
Wait... (Score:1, Insightful)
Re: (Score:3, Informative)
Re: (Score:1)
Re: (Score:1, Interesting)
Re: (Score:2)
Its just another statement that if you.... (Score:4, Insightful)
Considering all the past digital leaks, I got wonder who hasn't had information on them digitally leaked?
Re: (Score:2)
A. No. We do not re-assign Social Security numbers [ssa.gov]. We have assigned more than 440 million Social Security numbers and each year we assign about 5.5 million new numbers. Even so, the current system will provide us with enough new numbers for several generations into the future.
Re: (Score:2)
Where I work, all company data on a laptop goes into
Re: (Score:1)
Goes to show, not having any credit or a bank account has its advantages. My position amongst the dregs of society looks sweeter all the time while the rest of you fight amongst yourselves trying to get more and more and to keep what you have. The entertainment value is priceless.
Captain Obvious says : (Score:5, Insightful)
The problem isn't using the SSNs (Score:4, Insightful)
Re: (Score:2)
Re: (Score:1)
care to provide a reference to it? Is it just that we'll eventually run out of numbers so they have to be reused or have the numbers been actually re-used already?
Re: (Score:2, Funny)
Re: (Score:2)
Re: (Score:1)
You see, both are registered as ARN#624-926-536624"
"But that spells OBI-WAN-KENOBI, doesn't it?"
"Yeah, but Central Registration Authority never gives out the same number twice!"
"So the registration must be bogus then. Very well, move along..."
Re: (Score:2)
Well, they may have to rethink their policy in a couple of decades. As it stands, social security numbers have nine digits, which means there are only a billion unique numbers. Given a current population of about 300 million, I would guess that about 1/3 of them have been used already.
Re: (Score:2)
It would be more secure to use a common identifier that is only known inside the systems that need to use/share personal data. Something like a technical primary key, only people with sufficient
supposed to be unique, not always (Score:3, Interesting)
Every now and then you find out about a SS# that is not unique. The SS office issues new number to one or both individuals and mea culpas all around. See this news story [whnt.com] for one example.
Re: (Score:2)
I cannot think of any way to take any control of someones life just by knowing someones SSN.
You can't sell properity, take a loan or apply for a credit card without showing valid photo ID.
You can't order another photo ID with your picture either, since the bureau who grants valid IDs has the origina
Re: (Score:2)
Re: (Score:2)
http://en.wikipedia.org/wiki/Notary_public [wikipedia.org]
Re: (Score:3, Interesting)
It may be unique, but it is most definitely NOT an identifier. Everyone over the age of about 45 (I forget the exact year) got a SSN by asking for it. The original intent of the Social Security Card was to let you and your employer (and Uncle Sam) track your earnings and taxes on said earnings. There was no proof of identity involved. I could have created a
Re: (Score:1)
When I went into the military, I used the NM prefix and have ever since.
And in the UK today too (Score:5, Insightful)
From the BBC article:
It is now too easy for huge quantities of private data to be carried around on laptops and memory sticks, often by people who do not understand the consequnces of failing to protect that data. Companies need to be held to account when data is lost.
But check out who does their background checks! (Score:1)
Physical Security (Score:3, Insightful)
Technology is amazing (Score:1)
Re: (Score:2)
Re: (Score:1)
Ha! Ha! (Score:4, Funny)
Re: (Score:2)
Portable HDD? (Score:5, Insightful)
Re: (Score:2)
Re: (Score:3, Interesting)
There is a pretty good reason to carry data around on a removable drive. It's cheap bandwidth.
I know this because we used to do streaming backups to an offsite location (one of the guys' houses (we are a (very) small business)). The DSL we used had a download speed on his end of about 1Mb/s. That is .125MB/s. Carrying a 120GB drive home every night, assuming the drive is one hour, has a bandwidth of 34MB/s or about the speed of a T4 line. It's also essentially free because the amortized cost of the drive
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
huh? why does the average business computer need audio, and what "good graphical device" relies on USB?
at work, a division of a large bank, they want to disable USB altogether. Snag is that there are many legacy free PCs and so need USB for keyboard and mouse, so now they're going to be breaking the OS's device drivers to disable USB mass storage.
snag is we also have a lot of linux desktops, so we will all lose local root access so they can remove kernel modules for usb mass storage if possible.
yes,
Put Management's Data In The Databases (Score:3, Interesting)
Maybe a law should be made that any organization that is trusted with public data be forced to imbed all of their CEO's, CFO's, other officers, management, and shareholder's data in the same databases.
I know that the reason all this data keeps getting exposed is because management would rather save money instead of training their IT staff (if they need it) or just giving them the time to implement good, safe, data handling practices. Put their data on the line too and let's see how they decide about safe data handling practices.
More security (Score:2, Interesting)
Re: (Score:1)
Peter O'Donnell nailed this years ago. (Score:1)
"Security agencies are always too busy watching everyone else to watch themselves. How long has it been since you changed your locks or checked on your guards?"
1st rule of TSA (Score:2)
some people never learn (Score:5, Insightful)
This is why I try not to use my Social Security number for identification purposes anymore. I really should try to figure out who has it & what I can do to reduce the use of it.
Re: (Score:1)
The past few days alone have exhibited an increase in this sort of problem exactly (re: encryption). Why large companies aren't using encryption as a standard is something that needs to be answered. Consider the eBay case [bbc.co.uk] where on the 4 May 2007:
Sensitive case notes on vulnerable children in Essex have been found on a computer sold on eBay's auction site.
and the NHS case [bbc.co.uk] where on the 2 May 2007:
About 10,000 health workers in Cornwall have been warned that they could be the victims of fraud after their bank details were stolen.
The latter being more prevalent in my opinion as a critique of the NHS computer systems is revealed [bbc.co.uk] only weeks (16 April 2007) before the breach.
Let's not forget the Los Alamos hard drive scandal, and the countless do
This bears repeating (Score:4, Funny)
Never ascribe to incompetence what can be explained by malice, I guess.
Re: (Score:1, Offtopic)
The sad thing is that ALL modern drives have an effective erase capability built in:
http://cmrr.ucsd.edu/Hughes/SecureErase.html [ucsd.edu]
but few people know that and fewer still use it before disposing of a drive.
Re: (Score:1)
This Wayne Madsen? (Score:2)
Re: (Score:1)
If someone just wanted the data, they put themselves in more jeopardy by making it obvious something was taken. Now they have to worry about security camera review, fingerprinting, etc.
open it up (Score:1)
Seriously, with the shear amount of data that is accumulated everywhere, and how densely we can store it, well this is going to happen more and more.
Re: (Score:1)
we can get rid of all criminal activities if we abolish every law!
Well, technically speaking, you are correct ...
What we need.. (Score:2)
Why was this on a portable HD in the first place? (Score:5, Informative)
Re:Why was this on a portable HD in the first plac (Score:1)
Gov't infiltration? (Score:2, Interesting)
As a network and database admin, I've found it to be pretty darn important. I first read about I Love You at 7am at work when it sprang, told our security admin who doesn't read
What's really alarming.. (Score:2)
Update! (Score:2, Funny)
It's astounding.. (Score:1)
It's sad when the developers are the biggest security hole in critical government software.
Re: (Score:1)
Re: (Score:2, Insightful)
Disk Encryption (Score:2)
In light of that, why isn't that kind of policy used everywhere? Doesn't it just make good sense?
The TSA shouldn't even be able to claim that this was a legacy laptop, as frankly their agency hasn't been around that long. I don't get it.
Re: (Score:3, Insightful)
It's plain stupidity and lazyness that compels people to defy the simplest rules of security.
Tom
Re: (Score:1)
Beyond the lack of crypto on the drive, I'm just left wondering WTF someone had placed all that information on an *external* drive in the first place. That was stupid, and to then go on to leave it sitting out somewhere and not under lock and key boggles the mind.
Backup? (Score:1)
Get use to it! (Score:1)
Check out http://www.privacyrights.org/ar/ChronDataBreaches
You can't make this stuff up, folks (Score:3, Funny)
These people are morons. Their sole purpose in life is to screw up while pushing other people around with self-righteous notions that THEY are the ones "protecting" everybody else.
It's the "cop mentality" writ large - which is the same basic mentality as a Mafia protection racket.
Re: (Score:1)
Re: (Score:3, Insightful)
O no... (Score:2)
The untold story (Score:3, Funny)
Apparently the screeners were distracted when someone tried to enter the area with a photo of a shampoo bottle and so they didn't notice the theft. According to the DHS, the photo was probably inserted into the shampoo ad by an al-Queda operative.
The TSA, eh? (Score:2)
An idea who's time has come... (Score:1)
Supposition 1: Personal data is a commodity because it's unique to the individual it regards.
Supposition 2: Personal data must be safeguarded because people use it to demonstrate that they are whom they claim to be, that is, to identify people uniquely, to facilitate transactions which either immediately, or ultimately involve the exchange of money, goods, or services, etc.
Conclusion: Personal data is desirable to people who should not have it, fo
Maybe TSA employees stole it? (Score:2)