Friday, March 31, 2006

Laptop Loss Exposes U.S. Marines

The Marine Corps can now join a growing list of organizations that have compromised personal data stored on a laptop.

The Stars and Stripes is reporting:

A portable drive with personal information on more than 207,750 Marines was lost earlier this month, possibly jeopardizing those troops’ credit records and privacy.

In a message sent out to Marines, officials said the information was encoded and so far they’ve seen no evidence the information is being abused. But, because the data could be used for criminal purposes, they are asking all Marines to be on guard for signs of identity theft.

According to officials from the Manpower Information Technology Branch, the portable drive was part of a Naval Postgraduate School research project. The information was being used in research about the effectiveness of re-enlistment bonuses, but it was lost in a computer lab on campus in Monterey, Calif.

The drive contained the names, Social Security numbers, marital status and enlistment contract details for enlisted Marines on active duty between January 2001 and December 2005.

School officials were notified that the data had been lost March 14. The servicewide message about the missing information was sent out 10 days later.

Data breaches are becoming weekly stories in the media. Recently, Ernst and Young, the accounting giant lost several laptops AND the personal data from several companies was compromised.

Both the Marines and Ernst and Young have made statements that the information was protected.

The Register, who has been reporting the Ernst and Young story had an interesting comment from a reader with a little technical expertise:

"I work for a information security consulting company and we routinely demonstrate to our customers how simple it is to circumvent/bypass/subvert security controls in order to gain access to personal computing devices -even those that are deemed to be secure as a result of the implemented security - BIOS password, hard drive password, OS password, strong authentication, etc."

If the Marines were completely confident that the information was protected they wouldn't be warning their troops.

Passwords can also compromised via more social means, meaning they can be compromised by the people, who use them. In other words, the ability to hack into the systems might not be a issue in getting to the data. In any case, such as this, insider involvement is a distinct possibility.

One has to wonder if these laptops were targeted because of the information they contained? If so, the people behind this have probably taken into account how they would get past the protection installed on the systems.

Here are a series of articles from the Register on the Ernst and Young story:

Lost Ernst & Young laptop exposes IBM staff The Register
Nokia staff jacked by Ernst & Young laptop loss
HK police complaints data leak puts city on edge
Fidelity lost HP's employee data to impress HP
40,000 BP workers exposed in Ernst & Young laptop loss
200,000 HP staff exposed as laptop loss party continues
Readers amazed by Ernst & Young's laptop giveaway
Ernst & Young loses four more laptops
Ernst & Young fails to disclose high-profile data loss

Here is a list of the major data breaches from the Privacy Rights Clearinghouse. They have been compiling this over the past couple of years and it's pretty amazing.

For any Marines, who think their information is being used, the best place to go for help is the Federal Trade Commission (FTC).

Since, I was one of you guys a long time ago, if I can be of assistance, please leave a comment on here, or write me at

The full story from the Stars and Stripes can be viewed by clicking on the title of this post.

No comments: