Hacker Steals Air Force Officers' Personal Information
Tuesday, August 23, 2005
Social Security numbers, birth dates and other private data on roughly 33,000 Air Force officers -- about half the branch's officer corps -- were stolen from a military computer database, the service informed its personnel late last week.
Officials of the Air Force Personnel Center, based at Randolph Air Force Base in San Antonio, said the intrusion occurred sometime in May or June, apparently by someone who used a legitimate user's log-in information to gain access to the system.
The exposed data did not include financial records, but contained such personal information as marital status, number of children and academic records. No incidents of identity fraud have been tied to the theft, the military said, but officers were warned that Social Security numbers could be used to get other private data.
Affected Air Force personnel were advised to monitor their credit reports closely.
The theft is the latest in a spate of data breaches over the past two years involving government agencies, universities, commercial firms and data brokers, resulting in the exposure of tens of millions of consumers to potential fraud.
The Air Force information was contained in an online system designed to help officers manage their assignments and careers. The Air Force detected the breach after "we determined that there was one individual who was reviewing a lot of these records . . . it was very uncharacteristic," Maj. Gen. Anthony F. Przybyslawski said in an interview.
The incident is being investigated by both military and civilian law-enforcement agencies. "We are conducting a wall-to-wall review of our personnel-related data systems to maximize the security of the systems," Przybyslawski wrote in a letter on Friday to Air Force personnel.
He wrote that the career-management system was shut down when the intrusion was discovered, but that personnel were not immediately notified pending an initial investigation.
The system was restored with enhanced security, the letter said, adding that "identity theft and other fraudulent uses of our resources steal from our operational budgets."
John E. Pike, director of GlobalSecurity.org, said the breach is part of a persistent problem with cyber-security that the Pentagon has been unable to overcome. While Pike said the military has a strong record of protecting classified information related to its mission, it has had less success guarding sensitive data about its people. "They have historically done much better at protecting operational systems than at protecting administrative systems," Pike said.
The problem, he said, is that the Pentagon doesn't make security for those systems a top priority. "Robust security can be expensive, and it can be annoying to implement," he said.
Three years ago, a San Diego security firm out to demonstrate vulnerabilities used the Internet to access government and military computers without authorization. Consultants for the firm used free, publicly available software to browse through files containing military procedures, e-mail, Social Security numbers and financial data.
In December, Bank of America lost tapes containing financial data on about 1.2 million federal employees, including some U.S. senators. About 900,000 of those exposed worked for the Department of Defense.
Bruce Schneier, chief technology officer for the security services company Counterpane Internet Security Inc., said the Air Force's problems are hardly surprising given the string of security breaches at commercial firms this year. He said that data security has been weak, "and the Pentagon is no different than ChoicePoint, CardSystems or Time Warner. People aren't taking it seriously, so this happens," he said.
Schneier said that while affected Air Force officers may be vulnerable to identity theft as a result of the intrusion, he doesn't think this breach is any more dangerous than others. Knowledge of an Air Force officer's Social Security number, he said, is unlikely to help the culprit get access to Air Force facilities or weaponry. "It takes a lot more than knowing who you are for that," he said.
Staff writer Griff Witte contributed to this report.