Network News

X My Profile
View More Activity

Now, It's the GAO's Turn for a Data Gaffe

The Government Accountability Office -- the federal oversight body charged with investigating waste, fraud, abuse and sloppiness at federal agencies -- is the latest to divulge that it inadvertently exposed the Social Security numbers and other personal information of Americans.

According to a story over at Government Computer News, the GAO said the data -- which was posted on the agency's public Web site -- "came from audit reports on Defense Department travel vouchers from the 1970s. ... GAO estimates that fewer than 1,000 people were impacted."

As a good friend of mine remarked after reading the GCN story that "things are amok" (or "a muck," depending on whether your basement is flooded by all the rain we've had in this area lately). Last week the Federal Trade Commission, a consumer advocacy agency, said two employee laptops stolen from a locked car exposed Social Security numbers and financial data on more than 100 people.

The good news, as I reported Tuesday, is that the White House is now demanding that federal agencies follow more stringent guidelines when allowing employees to leave the building with personal data on consumers, or when they remotely access databases containing personal data.

The bad news is that this should have been done long, long ago, because these kinds of federal data loss and disclosure notices are probably going to keep coming at us for some time.

By Brian Krebs  |  June 28, 2006; 10:45 AM ET
Categories:  From the Bunker  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: Apple Updates Fix Five Flaws for Mac OS X
Next: Exploits Target Multiple Excel, IE Security Holes

Comments

I work in IT at NIH in Bethesda. We've long required anyone taking a government computer out of their office to obtain approval and a signed and sealed property pass for the removal. All guards must check anyone leaving with a laptop or any other PC to make sure they have the property pass. In addition, we require anyone who will connect to our system from outside NIH to receive approval for a VPN account and take a remote access security awareness training course. They cannot receive their VPN credentials until they have completed the online course. It's really not hard to implement these safeguards, I have no idea why every government agency doesn't have similar policies in place.

Posted by: NIH Tech | June 28, 2006 11:27 AM | Report abuse

NIH tech: thanks for mentioning NIH's security awarenes training course. I googled the phrase, found the page and will be reviewing it. We will be rolling out multiple VPN's here soon and this is a great help.

Your IT dept. should be commended..

Posted by: DOUGman | June 28, 2006 12:54 PM | Report abuse

As an Information Security Professional I believe that there are already enough "stringent controls" already in existence, what I believe is needed is more enforcement, maybe even the loss of jobs or demotions. How can the government tell private industry what to do if it cannot police itself? It's time that all of these expensive contracting and consulting firms start earning their keep and, stop writing policy that nobody can understand just to justify the big paycheck their getting. Someone posted this "We've long required anyone taking a government computer out of their office to obtain approval and a signed and sealed property pass for the removal. All guards must check anyone leaving with a laptop or any other PC to make sure they have the property pass. In addition, we require anyone who will connect to our system from outside NIH to receive approval for a VPN account and take a remote access security awareness training course. They cannot receive their VPN credentials until they have completed the online course." Please tell me how this requirement protects data on the machine? How does it address WHAT data is stored on the machine? How does it address the person who goes to the mall on the way home and the computer is in the car? The first thing that needs to be decided is what can be stored on a computer (portable or fixed) by way of information classification, this will also be the time to set user privileges (read, write, copy) which will be enforced by system configuration. Then people need to be trained and sign statements that they will safeguard this and all information accordingly, this should include staff and management top/down. If any of you need help doing this, let me know I need a big payday.

Posted by: Donald_J | June 29, 2006 10:28 AM | Report abuse

Read this...signing permission slips...
http://www.cnn.com/2006/US/06/29/vets.security.ap/index.html

Posted by: Donald_J | June 29, 2006 11:57 AM | Report abuse

Posted by: Donald_J | June 29, 2006 11:57 AM | Report abuse

It amazes me. I'm 30 but I talk daily to high school and college kids who know and understand computers and technology. Their general opinion of government and computer technology/security is a hearty laugh. I watch CSPAN and chuckle at the grey hairs in congress trying to grasp the idea of new technology. These same boneheads want to implement a "unhackable" national ID card. Well ask the Fed about their "unhackable" Carnavore project that is lining a wastebasket somewhere in Hades.

If you can build it you can break it.

If you want computer security you have to control who gets access to computers and then you have to insure nothing confidential leaves the building.

Look at it this way. Would you rather lose your shirt to lawsuits from clients and/or citizens who are ticked off that you allowed data loss at that level? Or would you rather spend the money upfront to insure that doesn't happen? Big business and the Fed are tight with cash. I don't see the latter happening in my lifetime.

You can't teach a good old boy new tricks (I meant to say old dog).

Posted by: John Reynolds | July 6, 2006 8:11 PM | Report abuse

We need to stop pretending that Social Security numbers are secrets. They aren't. Your SSN is your account number with the Social Security Administration. It's no more secret than your checking account number (which is printed on every check), in that it must by nature be divulged to anyone who needs to identify you to the IRS. This means many, many people have access to your SSN, and it's simply impossible to exert any control over it. To use the SSN as any form of authentication is just as wrong as using your checking account number--it proves nothing. The solution here is not to waste further resources attempting to protect SSNs, but to go ahead and publish them so that it's crystal clear that they are NOT a reliable authentication factor.

Posted by: antibozo | July 12, 2006 10:15 AM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company