September 22, 2006

REID: THE BUSH ADMINISTRATION FAILS ON DATA SECURITY AGAIN

Washington, DC — Senate Democratic Leader Harry Reid today issued the following statement on news that the Commerce Department has lost over 1,100 computers, putting the personal information of thousands at risk. This failure is the latest in a string of gross errors at nearly every agency in the Bush Administration that has disclosed the personal information of millions. A fact sheet on data insecurity in the Bush Administration is attached below.

“From Veterans Affairs to the Transportation Department to Health and Human Services, incompetence runs deep in the Bush Administration. They talk tough about identify theft, but then show a complete disregard for the security and personal information of the American people. The Bush Administration must do a better job protecting the American people’s information. Last Monday, the Bush Administration finally filled the year-long vacancy and hired someone to manage cybersecurity at the Department of Homeland Security. He has a lot of work ahead of him.”

###

Data Insecurity at the Department of Commerce

Census Bureau Loses Laptops Compromising Information of 6,200 Households. “More than 1,100 laptop computers have vanished from the Department of Commerce since 2001, including nearly 250 from the Census Bureau containing such personal information as names, incomes, and Social Security numbers, federal officials said yesterday. This disclosure by the department was made in response to a request by the House Committee on Government Reform, which this summer asked 17 federal departments to detail any loss of computers holding sensitive personal information. Of the 10 departments that responded, the losses at the Commerce Department are `by far the most egregious,’ said David Marin, staff director for the committee. He added that the silence of the remaining seven departments could reflect their reluctance to reveal problems of similar magnitude. In a private briefing yesterday for three members of Congress, Commerce Secretary Carlos Gutierrez estimated that the disappearance of laptops from the Census Bureau could have compromised the personal information of about 6,200 households, Marin said.” [Washington Post, 9/22/06]

Data Insecurity at the Transportation Security Administration

Transportation Security Administration Mailed Thousands of Letters Containing Social Security Numbers and Birth Dates to Wrong Addresses. “The Transportation Security Administration is warning 1,195 of its former employees that a contractor may have mailed their Social Security numbers and birth dates to the wrong addresses and left them open to identity fraud. The error, acknowledged in letters the TSA mailed in late August to each of the former employees, is the latest in a series of data breaches that may have exposed workers in both private and government jobs to identity thieves.....The documents were standard forms that are sent to employees after they leave the government. The forms often list an employee's Social Security number, birth date and salary. It's unclear how many forms had that information.” [AP, 9/4/06]

Data Insecurity at the Department of Education

Security Failures in the Department of Education’s Website Left Federal Student Loan Holders’ Personal Information Unprotected. “A federal Department of Education official said yesterday that a routine software upgrade made Sunday night introduced a bug into the system that mixed up the data of different borrowers . . .A department spokeswoman said 6.4 million people have outstanding loans in the program, known as federal direct student loans, but she said she did not know how many people use the online account system. (Other types of student loans are managed separately through private companies.) Hudson La Force, senior counselor to the secretary of education, said four borrowers had called the department to complain since Sunday night. He said he did not know how many people's information was compromised, but said ‘we think the effect is pretty limited.’” [Boston Globe, 8/23/06]

Data Insecurity at the Department of Homeland Security

After a Year-Long Vacancy, Position of Cyber Security Czar at DHS Remains Vacant. “It has been nearly a year since Homeland Security Department Secretary Michael Chertoff announced the creation of a position for an assistant cyber security czar. . . That position remains unfilled. . . . Richard Clarke, a former cyber-security adviser to presidents Bush and Clinton, said it is critical that Bush nominate a cyber security czar for Homeland Security. ‘I think it's huge,’ he said. ‘I've talked to people in the private sector who say the federal government isn't serious about security because they haven't filled these positions. They talk a good game about cyber security, but they aren't serious about it.’" [GovExec.com, 7/5/06]

Former Advisor to the Bush Administration on Cybersecurity, Paul Kurtz, Says Continuing Vacancy Shows Chertoff Has Not Made the Issue a Priority: "What this tells me is that [Chertoff] still hasn't made this a priority . . . Having a senior person at DHS . . . is not going to stop a major cyber-attack on our critical infrastructures, but [it] will definitely help us develop an infrastructure that can withstand serious attacks and recover quickly." [Washington Post, 7/13/06]

Lawyer with No Background in Computer Security and Questionable Connections Serves as Acting Head of Cybersecurity. “The Bush administration's cybersecurity chief is a contract employee who earns $577,000 under an agreement with a private university that does extensive business with the federal office he manages. . . . Some lawmakers who oversee the department questioned the decision to hire Purdy as acting cybersecurity director. They noted enduring criticism by industry experts and congressional investigators over the department's performance on cybersecurity matters. . . .Purdy, a longtime lawyer, has held a number of state and federal legal and managerial jobs. He has no formal technical background in computer security.” [Washington Post, 6/29/06]

Former Head of Cybersecurity Resigned Due to the Lack of Attention Paid to Computer Security by Bush’s Homeland Security Department. “The government's cybersecurity chief has abruptly resigned after one year with the Department of Homeland Security, confiding to industry colleagues his frustration over what he considers a lack of attention paid to computer security issues within the agency. Amit Yoran, a former software executive from Symantec, informed the White House about his plans to quit as director of the National Cyber Security Division and made his resignation effective at the end of Thursday, effectively giving a single's day notice of his intentions to leave. . . . Yoran has privately described frustrations in recent months to colleagues in the technology industry, according to lobbyists who recounted these conversations on condition they not be identified because the talks were personal.” [USA Today, 10/1/04]

Data Insecurity at the State Department

State Department Computers Breached by Hackers in the Days Preceding North Korean Missile Tests – Extent of Damage Unknown. “The State Department is recovering from large-scale computer break-ins worldwide over the past several weeks that appeared to target its headquarters and offices dealing with China and North Korea, The Associated Press has learned. Investigators believe hackers stole sensitive U.S. information and passwords, said U.S. officials familiar with the hacking. Whoever did the hacking reportedly tried to leave so-called back doors so they could come back later and keep intruding into the computers, CBS News correspondent Jim Stewart reports . . . . Asked what information was stolen by the hackers, [department spokesman Kurtis] Cooper said, ‘Because the investigation is continuing, I don't think we even know.’ Tracing the origin of such break-ins is difficult. But employees told AP the hackers appeared to hit computers especially hard at headquarters and inside the Bureau of East Asian and Pacific Affairs, which coordinates diplomacy in countries including China, the Koreas and Japan. In the tense weeks preceding North Korea's missile tests, that bureau lost its Internet connectivity for several days.” [CBS/AP, 7/11/06]

Data Insecurity at the F.B.I.

F.B.I. Hacked with Programs Widely Available on the Internet. “A government consultant, using computer programs easily found on the Internet, managed to crack the FBI's classified computer system and gain the passwords of 38,000 employees, including that of FBI Director Robert S. Mueller III. The break-ins, which occurred four times in 2004, gave the consultant access to records in the Witness Protection Program and details on counterespionage activity, according to documents filed in U.S. District Court in Washington. . . . Colon used a program downloaded from the Internet to extract "hashes" -- user names, encrypted passwords and other information -- from the FBI's database. Then he used another program to "crack" the passwords by using dictionary-word comparisons, lists of common passwords and character substitutions to figure out the plain-text passwords. Both programs are widely available for free on the Internet. What Colon did was hardly cutting edge, said Joe Stewart, a senior researcher with Chicago-based security company LURHQ Corp. ‘It was pretty run-of-the-mill stuff five years ago,’ Stewart said.” [Washington Post, 7/6/06]

Data Insecurity at the Energy Department

Hacker Steals Names and Social Security Numbers of Nuclear Weapons Workers at the Energy Department; Victims Not Notified. “A hacker stole a file containing the names and Social Security numbers of 1,500 people working for the Energy Department's nuclear weapons agency. But the incident last September, somewhat similar to recent problems at the Department of Veterans Affairs, was not reported to senior officials until two days ago, officials told a congressional hearing yesterday. None of the victims was notified, they said.” [Washington Post, 6/10/06]

Energy Department Also Hit by Computer Thefts – 30 Employees’ Information Stolen. “Energy Department data also has gone missing in a series of computer thefts. Ten laptops containing personal information about approximately 30 employees were stolen from a Germantown, Md., payroll office in June, and another computer thought to have held personal data was stolen from a contractor at the Oak Ridge nuclear site in Tennessee.” [CQ, 7/10/06]

Data Insecurity at the Department of Veterans Affairs

Veterans Affairs Employee Had Permission from Superiors to Bring Sensitive Information Home on a Laptop Computer. “The Veterans Affairs worker faulted for losing veterans' personal information had permission to access millions of Social Security numbers on a laptop from home, agency documents obtained by the Associated Press show. . . . The department's documents raise questions as to whether top officials condoned a practice that led to a theft with the potential to affect 26.5 million veterans and active-duty troops. . . .The department said last month it was firing the data analyst, who is now challenging the dismissal. VA officials have said the firing was justified because the analyst violated department procedure by taking the data home; they also said he was ‘grossly negligent’ in handling sensitive information.” [AP, 6/29/06]

Blistering Report Faults VA Supervisors with Loss of Data of 26.5 Million. “The Veterans Affairs data analyst who lost sensitive information on 26.5 million veterans showed poor judgment by taking the data home, but his supervisors are also to blame for lax policies, investigators said Tuesday . . . In a blistering report, the Veterans Affairs inspector general, George J. Opfer, detailed a series of missteps, inadequate security measures and a general lack of concern in the events leading to the May 3 burglary at the analyst’s home in Maryland. A chain of the analyst’s supervisors, leading up to Deputy Secretary Gordon H. Mansfield, unreasonably put veterans at risk by failing to publicize the burglary until nearly three weeks later, the report found.” [AP, 7/12/06]

Data Insecurity at the Agriculture Department

Agriculture Department Security Breached by a Hacker; 26,000 Washington-Area Employees’ Information at Risk. “A hacker broke into the Agriculture Department's computer system and may have obtained names, Social Security numbers and photos of 26,000 Washington-area employees and contractors, the department said Wednesday. . . . The break-in happened during the first weekend in June, the department said. Technology staff learned of the breach on June 5 and told Johanns the following day but believed personal information was protected by security software, the department said. However, on further analysis, staff concluded that data on current or former employees might have been accessed and informed Johanns on Wednesday, according to the department.” [USA Today, 6/22/06]

Data Insecurity in the Federal Trade Commission

Federal Trade Commission Loses Personal Information of 110 People on Two Laptops. “The laptops were taken from the locked car of an attorney for the Federal Trade Commission. As if that weren't ironic enough, many of the people whose data was taken are being investigated for possible fraud. The FTC says it will provide free credit monitoring for the 110 people whose names, addresses, Social Security numbers, and in some instances, financial account numbers, were taken. [AP, 6/23/06]

Data Insecurity at the Department of Health and Human Services

HHS Allows Medical Records to be Posted on the Internet, Admits Losing Data Five Times This Year. “An individual conducting a search on an Internet search engine unexpectedly discovered that his medical records had been posted on a Web site maintained by the Indian Health Service, a division of the Department of Health and Human Services (HHS), according to HHS data security officials familiar with the case. Indian Health Service officials, alerted to the problem in late January, quickly removed the records but say they cannot explain how the mishap occurred or know for sure how long the information was posted. The incident, which has not been publicly disclosed, may be a violation of the 1996 Health Insurance Portability and Accountability Act, or HIPAA, that HHS is in charge of enforcing. Officials say that no disciplinary action was taken against anyone involved in the incident. HHS, a sprawling agency that holds tens of millions of Americans’ health records, says its employees and contractors have accidentally lost or released personal data five times this year, which is not unusual for large government agencies.” [CQ, 7/10/06]

Data Insecurity in Afghanistan

Hard Drives Containing Information on Afghan Spies Working for the U.S. Military Found For Sale at Local Bazaars. “Following a newspaper’s discovery of stolen U.S. military computer drives showing up for sale at local bazaars outside the large base here, the military announced a crackdown but merchants were still selling the digital wares — including what appeared to be information about Afghan spies informing on al-Qaida and the Taliban. The Los Angeles Times, which first reported the sales on Monday, said that it was still able to find computer drives two days later — the same day that five military investigators, surrounded by heavily armed plainclothes U.S. soldiers, searched many of the two-dozen rundown shops outside the sprawling base. One flash memory drive, the Times reported Thursday, holds the names, photos and phone numbers of people described as Afghan spies working for the military. The data indicates payments of $50 bounties for each Taliban or al-Qaida fighter caught based on the source’s intelligence.” [MSNBC, 4/13/06]

Data Insecurity at the Department of Defense

Hacker Gains Access to Health Care Insurance Information for More than 14,000. “An intruder gained access to a Pentagon computer server and compromised confidential health care insurance information for more than 14,000 people. The Pentagon learned of the intrusion April 5 and told the public on April 28.” [AP, 6/22/06]

Department of Defense Targeted by Hackers in China. “[L]ast summer, the Defense Department and other U.S. agencies noticed [anomalies with network traffic on] their computers. Hackers in China were considered the culprits in that incident . . . China's government was considered by experts a chief suspect in computer break-ins at the Defense Department and other U.S. agencies disclosed last summer. But China also is home to a large number of insecure computers and networks that hackers in other countries could use to disguise their locations and launch attacks.” [CBS/AP, 7/11/06]

Data Insecurity in the Navy

Sailors’ Personal Information Discovered on the Internet. “The Navy has begun a criminal investigation after Social Security numbers and other personal data for 28,000 sailors and family members were found on a civilian website. The Navy said Friday the information was in five documents and included people's names, birth dates and Social Security numbers. Navy spokesman Lt. Justin Cole would not identify the website or its owner, but said the information had been removed. He would not provide any details about how the information ended up on the site.” [USA Today, 6/25/06]

« Back to Press Releases