The most dangerous data breach ever known

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.infoworld.com/article/2941333/data-security/the-most-dangerous-data-heist-ever-known.html

> From time to time I have the depressing task to write about yet another
data loss event that caused the personal details of millions of people to
fall into the hands of criminals. Usually this is credit card data, along
with names and email addresses. Sometimes physical addresses are included,
and occasionally even more sensitive data like Social Security numbers goes
along for the ride. Usually this data was collected by a large retailer
that had no qualms about storing the sensitive information, but clearly
neglected to properly secure it.

Stolen data is primarily used for credit card fraud, though if there's
enough information available, identity theft is a definite possibility.
Millions of affected people have been forced to get new credit cards, check
their statements for fraudulent charges, and rework any automated payment
arrangements and whatnot. It's a big pain in the ass, and frankly, it has
happened far too often, especially when once should be considered more than
enough.

Heartland, Target, TJX, Anthem ... we've seen some massive data breaches
over the years. But none can hold a candle to the breach the U.S.
government announced last week. Not even close. On a scale of one to 10,
with one being the loss of credit card numbers and names, this data loss
event would conservatively be a 15.

Most people aren't aware of exactly what type of information the federal
government collects on its employees, especially those with security
clearances. We all have some idea that government employees have relatively
strict reporting requirements for financial information, and we know that
federal workers with higher clearances undergo thorough background checks
and must submit to interviews of both themselves and their family and
friends. This is done to flag potential problems and to prevent outside
agents from having undue influence over people who may have access to
sensitive information and materials.

Put simply, if you have a security clearance, the government would like to
know if you have a drug problem or if you are in serious debt, because a
foreign interest may try to use that situation as leverage to coerce you
into revealing sensitive information. In the interest of national security,
these safeguards make sense.

But the true nature and scope of the information required by the government
and subsequently collected by the government on an employee is massive.
Take a look at Standard Form 86. This is a 127-page form that usually takes
a week or more to complete and requires the entry of the applicant's Social
Security number on each page. The data included on this form is not just
enough for identity theft, but enough to allow a person to literally become
another person. Each Standard Form 86 fully documents the life of the
subject. The only thing missing is the name of your first crush, though
that might be in there somewhere too.

Some 18 million people had this level of personal data -- and more,
including data collected by observers -- lost to foreign agents last week.
If the government collected this data to know if an employee was vulnerable
to undue outside influence, then it just succeeded in closing that loop
itself, having now released it into the wild. All of those vulnerabilities
are now known and available for exploit to whomever stole the data, or to
whomever they wish to sell that data. This is very, very bad.

I should also mention that many of those whose personal information was
swept up in this data loss event were never even government employees in
the first place. They may have filled out the forms and submitted
applications, but they were never hired or they declined the job. This
includes prospective TSA agents right on up through CIA employees -- the
higher the position, the higher the clearance, the more sensitive the data
that was collected and lost. Information on these peoples' infidelities,
sexual fetishes, mental illnesses, criminal activities, debts, and other
highly personal information is now in the hands of cyber-attackers. This is
damage that cannot be undone or mitigated. We can change credit card
numbers and refund fraudulent charges, but we can't change any of the
personal data and intimate details of these people's lives. That's a
permanent loss.

One could argue that however disastrous this data loss event is, the
government had a requirement to store this data. It needed to collect and
maintain this data, even if it failed to secure it. That said, this is the
same government that is collecting a massive amount of data on all of us,
whether we're prospective federal employees or not, via Internet and phone
surveillance. If the federal government is lax enough to lose immeasurably
sensitive information on its employees, how secure is the data that it has
decided it needs to collect on everyone in the world?

Many people believe that the U.S. government shouldn't be collecting and
storing this data in the first place, and that there's no need to maintain
that data collection. This event underscores the fact that maintaining this
data is not just privacy invasion on a massive scale, but it's actually
dangerous. What happens when the next data loss event contains highly
sensitive data on hundreds of millions of people? We can't put that cat
back in the box no matter how we might try. You might think that the best
way to guard against that possibility is to stop collecting that data in
the first place.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!