Current Event – FAA, Kaiser Permanente Security Breaches; Tens of Thousands of Names Compromised
In another of a long line of high-profile security breaches both in and out of the government recently, the Federal Aviation Administration has announced that in the course of a breach of their computer system, over 45,000 employee names – and presumably, personal information – were compromised. The systems were thankfully not connected to the air traffic control system or other critical operations systems.
The FAA is said to be following up with potentially affected individuals one by one.
Similarly, healthcare giant Kaiser Permanente reported on Sunday that nearly 30,000 employee names, addresses, Social Security numbers, and dates of birth were stolen. The breach was a chance discovery – the files containing the data were found in the possession of one Mia Garza, who was arrested on unrelated counts of stolen property and fraud. It is unclear how she came to possess the data, and thus it is entirely possible that copies of it are still in the hands of malicious people. As she was arrested on December 23rd of last year, it has clearly been quite some time since the breach occurred.
According to Kaiser, existing security policy included restricted access to sensitive information by ACL and encryption of data on electronic devices, including cell phones – both measures that sound wise. It is still entirely possible that the issue was policy not in fact being followed – Kaiser does not know what caused to the loss of data.
Due to the lack of detail surrounding both of these events, they serve simply as a reminder of how broadly security breaches can affect people on a personal scale. In just a few weeks, companies and government agencies ranging from the above to RBS WorldPay – an event in which 1.5 million people’s financial information and 1.1 million Social Security numbers were stolen – Heartland Payment, which processes over four billion payments a year, and even security specialists Kaspersky have all suffered high-profile data breaches.
Hopefully all these attacks will remind other organizations to take a long, hard look at their security systems.
Comment by sunetrad
February 11, 2009 @ 11:17 pm
It is interesting to note in the wake of this attack, that the FAA had in late 2005 already installed a security event management system designed to help the agency better detect and respond to external and internal threats. This system was based on the Enterprise Security Management software and allowed the users to centrally monitor, collect and analyze information from intrusion detection systems and firewalls.
With a string of security breach attacks, the theft of personal identification information seems like a victim of the “Broken Window Syndrome”. More and more similar attacks are being staged, and in many cases it is revealed that the victim company had no idea how the attack was planned or how it was executed or how long their system has been infected. The list of the institutions victimized by the Heartland Data breach is growing longer and according to the latest reports around 150 banks have been affected by it.
Comment by qwerty
February 12, 2009 @ 12:22 pm
What makes me curious is not how the prevention aspect of this vulnerability was overlooked – but the detection part of it. At what point and how did these organizations learn that this data was compromised. Shouldn’t there be some detection system when, say, more than 10 social security numbers are transmitted? Now I don’t know the details of these attacks – and maybe they don’t either – but detection is not to be left as unimportant, especially for the FAA.
Also, you note that they will be “following up” with every affected individual one by one – but what does this involve? If someone has your social security number and credit card numbers or whatever else important information, what can they do to “follow up” with you? Give you a new SSN? New address? New Name? I think from this point it comes that both the prevention and detection techniques should be very strong in order to avoid the havoc of having to do the response technique.
Comment by cxlt
February 12, 2009 @ 12:39 pm
The followup process consists mostly of credit monitoring and disputing issues. If there is hard proof that it has been stolen, the IRS will issue you a new SSN.
Also, note that in all the sources I could find, it seemed like the stolen data was not accessed through any database, but rather simply consisted of files that were copied down; thus once there was a breach it was all just filesystem, so few tracking and detection schemes would be effective here.