The NARA, National Archives and Records Administration, may have had a data breach, depending on how one defines certain words. What's not in contention is the fact that a hard drive with the information of 70 million US veterans is involved. Or that data encryption software was not used to protect this data.
A hard drive that was part of a RAID system failed in November 2008. This was sent out to a contractor be fixed, except the contractor concluded that it was impossible to do so. It appears that the contractor then sent the hard drive to another company to be disposed of. The problem is that the hard drive contained the information of 70 million vets, which was, technically, unsecured. Sensitive information included millions of SSNs going back to 1972, the year they were first used as military service numbers. This is a data breach in its purest sense: sensitive information under the aegis of one body is passed on to a third-party without being erased. The NARA denies that this is a breach, though, pointing out that all parties involved signed agreements not to disclose any of the data. Problem is, people don't always do what they agree to do. For example, the company involved in getting rid of the drive could have a rogue employee who sells busted drives on the side (something that's happened already many times).
A hard drive that was part of a RAID system failed in November 2008. This was sent out to a contractor be fixed, except the contractor concluded that it was impossible to do so. It appears that the contractor then sent the hard drive to another company to be disposed of.
The problem is that the hard drive contained the information of 70 million vets, which was, technically, unsecured. Sensitive information included millions of SSNs going back to 1972, the year they were first used as military service numbers.
This is a data breach in its purest sense: sensitive information under the aegis of one body is passed on to a third-party without being erased.
The NARA denies that this is a breach, though, pointing out that all parties involved signed agreements not to disclose any of the data. Problem is, people don't always do what they agree to do. For example, the company involved in getting rid of the drive could have a rogue employee who sells busted drives on the side (something that's happened already many times).
I don't see it pointed out by anyone, but I can definitely see another reason why the NARA could claim that this is not a data breach: depending on how you define it, it could claim that the information on the broken drive has been destroyed. As already mentioned, the only reason why the drive was marked to be junked is because it failed and there was no way to fix it. Isn't this the definition of "destroyed?" The definition of to destroy is to "damage irreparably." The drive was damaged. It could not be repaired. It was damaged irreparably; it was destroyed. And, last time I checked, there are provisions that absolve an organization from having to report a breach if sensitive data is destroyed before being tossed out. Yeah, the NARA would be walking a fine line, and I don't particularly agree that the information was truly destroyed (there is a possibility that the Vets' SSNs could be recovered in a lab), but a real stink could be raised over legal wording, if one's to believe all the lawyers out there blogging on data protection legislation.
I don't see it pointed out by anyone, but I can definitely see another reason why the NARA could claim that this is not a data breach: depending on how you define it, it could claim that the information on the broken drive has been destroyed.
As already mentioned, the only reason why the drive was marked to be junked is because it failed and there was no way to fix it. Isn't this the definition of "destroyed?" The definition of to destroy is to "damage irreparably."
The drive was damaged. It could not be repaired. It was damaged irreparably; it was destroyed. And, last time I checked, there are provisions that absolve an organization from having to report a breach if sensitive data is destroyed before being tossed out.
Yeah, the NARA would be walking a fine line, and I don't particularly agree that the information was truly destroyed (there is a possibility that the Vets' SSNs could be recovered in a lab), but a real stink could be raised over legal wording, if one's to believe all the lawyers out there blogging on data protection legislation.
Could encryption software have been used to avoid such problems? Yes. But, I also see problems and circular logic coming into play. Let's assume that disk encryption similar to AlertBoot was used to secure the drives in a RAID configuration. Technically, the drives making up that RAID array can be given to anyone, and there would be no data breach because there's no way to access the information in them. If someone had broken into the NARA and stolen those drives, encryption would have worked beautifully. However, we're talking about a situation where the drives were willingly turned over to contractors for fixing. I'm pretty certain that the contractors would have required access to the drive, which would have meant giving them information to decrypt the drive. This is where I see the problem. If the NARA is going to be criticized that the only "security" they had in place is a signed declaration from third parties that the data will be kept safe...well, the use of encryption doesn't solve the problem, since those third-parties have access to the data. Furthermore, the NARA taking back the drive so it can dispose of it itself is not a solution either, since the cat's out of the bag, so to speak: again, if I'm not going to take the third-party's word that they'll keep the data safe, how do I know they didn't keep a copy of my data for some nefarious purpose between the time they received the drive and sent it back to the NARA? I guess the only remedy would be for the NARA, even if encryption were used, is to degauss a broken drive prior to sending it in to be fixed. That sounds like a bone-headed move, though. To begin with, if you're degaussing data, encryption is not necessary. And, if you're fixing the drive so you can recover the data, degaussing is the last thing you want to do. On the other hand, if the data to be degaussed is available via backups, why bother repairing the drive? It's more expensive than buying a brand new drive, not to mention the chances of the repaired drive breaking again are so much more higher.
Could encryption software have been used to avoid such problems? Yes. But, I also see problems and circular logic coming into play.
Let's assume that disk encryption similar to AlertBoot was used to secure the drives in a RAID configuration. Technically, the drives making up that RAID array can be given to anyone, and there would be no data breach because there's no way to access the information in them. If someone had broken into the NARA and stolen those drives, encryption would have worked beautifully.
However, we're talking about a situation where the drives were willingly turned over to contractors for fixing. I'm pretty certain that the contractors would have required access to the drive, which would have meant giving them information to decrypt the drive.
This is where I see the problem. If the NARA is going to be criticized that the only "security" they had in place is a signed declaration from third parties that the data will be kept safe...well, the use of encryption doesn't solve the problem, since those third-parties have access to the data.
Furthermore, the NARA taking back the drive so it can dispose of it itself is not a solution either, since the cat's out of the bag, so to speak: again, if I'm not going to take the third-party's word that they'll keep the data safe, how do I know they didn't keep a copy of my data for some nefarious purpose between the time they received the drive and sent it back to the NARA?
I guess the only remedy would be for the NARA, even if encryption were used, is to degauss a broken drive prior to sending it in to be fixed.
That sounds like a bone-headed move, though. To begin with, if you're degaussing data, encryption is not necessary. And, if you're fixing the drive so you can recover the data, degaussing is the last thing you want to do.
On the other hand, if the data to be degaussed is available via backups, why bother repairing the drive? It's more expensive than buying a brand new drive, not to mention the chances of the repaired drive breaking again are so much more higher.
Related Articles and Sites:http://www.wired.com/threatlevel/2009/10/probe-targets-archives-handling-of-data-on-70-million-vets