Update: Data breach affects 4.9M active, retired military personnel
Backup disk containing unencrypted personal data is missing
Computerworld - Sensitive data including Social Security Numbers, names, addresses, phone numbers and personal health data belonging to about 4.9 million active and retired U.S. military personnel may have been compromised after backup tapes containing the data went missing recently.
The information on the tapes was from an electronic healthcare application used to capture patient data. It does not include bank, credit card or other financial data, according to a statement released by TRICARE, a healthcare system for active and retired military personnel and their families.
The breach affects all those who received care at the military's San Antonio area military treatment facilities between 1992 and Sept. 7 of this year. Those affected include individuals who had filled pharmacy prescriptions or had laboratory tests done at any of the facilities, TRICARE said.
As is often typical with such incidents, the information on the backup tapes does not appear to have been encrypted. But in its statement, TRICARE maintained that the risk of the data being misused was low "since retrieving the data on the tapes would require knowledge of and access to specific hardware and software and knowledge of the system and data structure."
It is not immediately clear how or when Science Applications International Corporation (SAIC), a contractor for the military, discovered the breach. SAIC reported the breach to TRICARE on Sept.14. In an online FAQ, TRICARE said it waited two weeks to go public about the breach so it could first determine the degree of risk to those affected.
"We did not want to raise undue alarm in our beneficiaries" by notifying them about the data loss without first learning more about it, TRICARE said.
Vernon Guidry, vice president for media relations at SAIC, said the removable backup tapes were among items reported stolen from an employee's car. In an emailed statement, Guidry said the SAIC employee was transferring the tapes between federal facilities in San Antonio when they were stolen.
"SAIC is working with the local police department, the Defense Criminal Investigative Services and a private investigator to attempt to recover the backup tapes," Guidry said.
Guidry added that some personal information had been encrypted before being backed up. "However, the operating system used by the government facility ... to perform the backup onto the tape was not capable of encrypting data in a manner that was compliant with a particular federal standard," he said, apparently referring to the Federal Information Security Management Act (FISMA). "The government facility was seeking a compliant encryption solution that would work with the operating system when the backup tapes were taken."
Compromises stemming from the loss of storage media and mobile devices containing unencrypted data are common.
This year alone there have been at least 77 incidents in which laptops, backup tapes, disks and other storage media containing unencrypted data were reported lost or stolen, according to statistics maintained by Privacy Rights Clearinghouse (PRC).
Prior to the SAIC breach, a total of just over 3.2 million records containing personal data had been compromised in such incidents this year, according to the PRC.
Though security analysts have long maintained that data encryption offers a relatively simple and inexpensive way to protect data on such devices, a large number of companies still haven't done so.
Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan or subscribe to Jaikumar's RSS feed . His e-mail address is firstname.lastname@example.org.
- NSA used 'European bazaar' to spy on EU citizens
- Target CIO resigns following breach
- Evan Schuman: Mobile IT Roach Motel: Data checks in, but it won't check out
- Sears finds no evidence of data breach -- yet
- Gameover malware is tougher to kill with new rootkit component
- Mobile app for RSA Conference exposes personal data
- UK man charged with hacking Federal Reserve
- Bloomberg clamps down with data-access policies after scandal
- Amazon.com security slip allowed unlimited password guesses on mobile apps
- Huge turnout at RSA shows hackers are winning
Read more about Security in Computerworld's Security Topic Center.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts