Update: Data breach affects 4.9M active, retired military personnel
Backup disk containing unencrypted personal data is missing
Computerworld - Sensitive data including Social Security Numbers, names, addresses, phone numbers and personal health data belonging to about 4.9 million active and retired U.S. military personnel may have been compromised after backup tapes containing the data went missing recently.
The information on the tapes was from an electronic healthcare application used to capture patient data. It does not include bank, credit card or other financial data, according to a statement released by TRICARE, a healthcare system for active and retired military personnel and their families.
The breach affects all those who received care at the military's San Antonio area military treatment facilities between 1992 and Sept. 7 of this year. Those affected include individuals who had filled pharmacy prescriptions or had laboratory tests done at any of the facilities, TRICARE said.
As is often typical with such incidents, the information on the backup tapes does not appear to have been encrypted. But in its statement, TRICARE maintained that the risk of the data being misused was low "since retrieving the data on the tapes would require knowledge of and access to specific hardware and software and knowledge of the system and data structure."
It is not immediately clear how or when Science Applications International Corporation (SAIC), a contractor for the military, discovered the breach. SAIC reported the breach to TRICARE on Sept.14. In an online FAQ, TRICARE said it waited two weeks to go public about the breach so it could first determine the degree of risk to those affected.
"We did not want to raise undue alarm in our beneficiaries" by notifying them about the data loss without first learning more about it, TRICARE said.
Vernon Guidry, vice president for media relations at SAIC, said the removable backup tapes were among items reported stolen from an employee's car. In an emailed statement, Guidry said the SAIC employee was transferring the tapes between federal facilities in San Antonio when they were stolen.
"SAIC is working with the local police department, the Defense Criminal Investigative Services and a private investigator to attempt to recover the backup tapes," Guidry said.
Guidry added that some personal information had been encrypted before being backed up. "However, the operating system used by the government facility ... to perform the backup onto the tape was not capable of encrypting data in a manner that was compliant with a particular federal standard," he said, apparently referring to the Federal Information Security Management Act (FISMA). "The government facility was seeking a compliant encryption solution that would work with the operating system when the backup tapes were taken."
Compromises stemming from the loss of storage media and mobile devices containing unencrypted data are common.
This year alone there have been at least 77 incidents in which laptops, backup tapes, disks and other storage media containing unencrypted data were reported lost or stolen, according to statistics maintained by Privacy Rights Clearinghouse (PRC).
Prior to the SAIC breach, a total of just over 3.2 million records containing personal data had been compromised in such incidents this year, according to the PRC.
Though security analysts have long maintained that data encryption offers a relatively simple and inexpensive way to protect data on such devices, a large number of companies still haven't done so.
Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan or subscribe to Jaikumar's RSS feed . His e-mail address is email@example.com.
- Hackers steal user data from the European Central Bank website, demand money
- Arrests made after international cyber-ring targets StubHub
- SQL injection flaw opens door for Wall Street Journal database hack
- Goodwill Industries probes possible payment card breach
- Aloha point-of-sale terminal, sold on eBay, yields security surprises
- The biggest data breaches of 2014 (so far)
- Blue Shield discloses 18,000 doctors' Social Security numbers
- PF Chang's says breach was 'highly sophisticated criminal operation'
- Breaches exposed 1 in 7 US debit cards in 2013
- New malware program targets banking data
Read more about Security in Computerworld's Security Topic Center.
- Data Protection eGuide In this eGuide, CSO and sister publications IDG News Service, Computerworld, and CIO pull together news, trend, and how-to articles about the increasingly...
- Warning: Cloud Data at Risk Experts agree that relying on SaaS vendors to backup and restore your data is dangerous. Yet that's exactly what huge portions of the...
- The Opportunities and Challenges of the Cloud In this report F5 poses questions to IDC analysts, Sally Hudson and Phil Hochmuth, on behalf of F5's customers to better understand the...
- Mobile First: Securing Information Sprawl Learn how the partnership between Box and MobileIron can help you execute a "mobile first" strategy that manages and secures both mobile apps...
- Live Webcast How to serve up a Grand Slam with a scalable IT Infrastructure for cloud, big data and advanced analytics Register today to attend this webcast, and see examples of how The U.S. Tennis Association, Wimbledon and U.S. Golf Association are using the...
- Live Webcast Security Vulnerabilities Associated With Having Local Administrator Privileges Viewfinity will demonstrate how removing admin rights and granularly managing privileges at the application level reduces the attack surface.
- Live Webcast IBM FlashSystem V840: Leveraging Software-Defined Flash to Drive Your Business With end-to-end, tightly integrated functionality and super-fast flash technology, products like IBM FlashSystem V840 Enterprise Performance Solution empower businesses to leverage the efficiency...
- What should I look for in a Next Generation Firewall? SANS Provides Guidance With so many vendors claiming to have a Next Generation Firewall (NGFW), it can be difficult to tell what makes each one different....
- Responding to New SSL Cybersecurity Threat The featured Gartner research examines current strategies to address new SSL cybersecurity threats and vulnerabilities. All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!