Soldiers' Data Still Being Downloaded Overseas, Firm Says

By Ellen Nakashima
Washington Post Staff Writer
Friday, October 2, 2009

The personal data of tens of thousands of U.S. soldiers -- including those in the Special Forces -- continue to be downloaded by unauthorized computer users in countries such as China and Pakistan, despite Army assurances that it would try to fix the problem, according to a private firm that monitors cybersecurity.

Tiversa, which scours the Internet for sensitive data, discovered the data breaches while conducting research for private clients. The company found, as recently as this week, documents containing Social Security numbers, blood types, cellphone numbers, e-mail addresses, and the names of soldiers' spouses and children.

The availability of such data, security experts say, exacerbates the threat of identity theft and retaliation against troops on sensitive missions. In addition to using the information to drain financial accounts, hackers could pose as soldiers in an effort to ferret out sensitive data, including passwords to government systems.

Such disclosures represent a "major security risk" to the service members and the military, said Rep. Edolphus Towns (D-N.Y.), chairman of the House Oversight and Government Reform Committee, which was informed of the data breach by Tiversa.

The company found the sensitive documents by using "peer to peer" file-sharing software, which can be easily downloaded on the Internet and which allows computer users to share music or other files. While such software is popular -- in any given second, about 22 million people are on file-sharing networks -- many computer users do not realize that it can make the contents of their computers available to other file-sharers.

Towns, who is drafting legislation to address the problems raised by peer-to-peer technology, said: "What is striking about these file-sharing leaks is that these aren't one-time events. Once this software is installed and files are leaked, the leaking is continuous."

In 2003, the Army instituted policies barring the unauthorized use of peer-to-peer software. The Pentagon did the same in 2004, and defense contractors have followed suit. But critics say policies often are not enforced.

Of particular concern to security experts is Tiversa's discovery of personal information about soldiers in the 3rd Special Forces Group (Airborne), whose mission area is Africa.

"These guys are operating behind lines, and they are absolutely in the deepest part of the fight," said James Mulvenon, vice president of the intelligence division at Defense Group, a security consulting firm. "The fact that the documents have the names and addresses of the families and all the pressures that could be put to bear on them, it's a nightmare."

Carol Darby, a spokeswoman for the Army Special Operations Command, confirmed the data breach but described it as an isolated incident. She said those involved in the breach had been punished, but she did not provide details.

"The unit now has measures in place to reduce the chances of this happening again," she said.

Robert Boback, chief executive of Tiversa, said such precautions are not sufficient safeguards.

CONTINUED     1        >

© 2009 The Washington Post Company