Hacker taps into US military database

If you want proof that protecting personal information is a hard thing and that Data Rejection is a key technology, read this report from the Washington Post:

A suspected hacker tapped into a US military database containing social security numbers and other personal information for 33,000 Air Force officers and some enlisted staff.

That figure represents about half of the officers in the USAF but no identity theft had been reported as of early today, said Tech Sgt James Brabenec, a spokesman at Randolph Air Force Base in Texas.

“We are doing everything we can to catch and prosecute those responsible,” Maj Gen Tony Przybyslawski said.

Social security numbers, birth dates and other information was accessed some time in May or June, apparently by someone with the password to the air force computer system, Brabenec said.

On Friday, the people affected were notified of steps they could take to protect their identity, he said.

The military, while protecting classified information, has had trouble protecting data about its people, a computer expert told The Washington Post, which first reported the incident.

“They have historically done much better at protecting operational systems than at protecting administrative systems,” said John Pike, director of GlobalSecurity.org.

In my view this is an excellent example of how even organizations well aware of security issues tend to excel at their core competencies – and proper handling of personal information is likely not the key driver in their approach to information, system desgin and operations.

This is why we can expect that those who specialize in and build their reputations by protecting personal identifying information are likely to do the best job at it.

A technology that allows relying parties to “request and then forget” personal information – this on a “need to know” basis and only when explicitly permitted by the user – is in my view the only sensible path forward. All information that is retained, for example for auditing purposes, should be encrypted under keys limited to the authorized off-line usage of appropriate personnel.

I like the use of “suspected hacker” in the article. Maybe it wasn't really a hacker who broke in – just someone who accidently ended up on the site, and traipsed on the social security numbers through sheer bad luck.

[tags: , , , ]

Published by

Kim Cameron

Work on identity.