Jana Winter of Fox News reports that the Secret Service – the agency that is often involved in investigations of data breaches – had its own breach back in 2008 that is now (finally?) under investigation:
The Secret Service is the target of an investigation into an “immense breach” involving the loss of two backup computer tapes left on a Washington, D.C., Metro train that contained sensitive personal information about all agency employees, contacts and overseas informants, according to multiple law enforcement and congressional sources.
[…]
Sources said the tapes were lost on the Red Line of the Metro in 2008 by a young, low-level associate of a private contracting company that had been hired to transport them from Secret Service’s Investigative Resources Management division at the agency’s headquarters in the Penn Quarter section of Washington, D.C., to a secure vault in Olney, Md., where government agencies store contingency plans, documents and other backup material. The employee had volunteered to deliver the tapes because he lived near the location of the vault, but got off at the Glenmont, Md., Metro stop without the tapes, according to sources.
Sources said the “personally identifiable information” — or “PII,” in government-speak — on the tapes includes combinations of the following: Social Security Numbers; home addresses; information about family members; phone numbers; dates of birth; medical information; bank account numbers; employment information; driver’s license numbers; passport numbers; and any biometric information on file with the Secret Service.
Did the Secret Service handle this breach properly or did it fail to provide adequate disclosure and notice to those affected? It depends on whom you ask, as Fox reports, and hopefully the investigation by Department of Homeland Security Office of Inspector General will get to the bottom of this one.
Disturbingly, this breach might never had been made public were it not for the recent Secret Service scandal involving the conduct of agents. It was that investigation that led to the investigation of this other matter as part of looking into the culture of the Secret Service.
I understand things happen, but, this is at one of the higher level, trusted entities we’re talking about. Everything has risks. When they say “low-level” it looks like they entrusted someone that may faulter in their duties – and they did.
Its another example of convenience over traditional security practices. I know it does not cost that much to throw these tapes in the mail and get them to the ultimate destination.
If the tapes are delivered on a regular basis, a routine, like the person they deliver it to – the front dsk of the vault calls back to the shipper and says….we got the package. It shows that the package was delivered and gives everyone alittle responsibility. That 15 second phone call is all it takes to ensure the product was delivered.
On the long period of time it took the SS to show its cards – they were probably waiting to see if the data would be used. I am sure they were intently searching for data that was unique that resided on the tapes, and then they could follow the trail and eventually get them back.
This is a big deal – Its almost like “Do as I say, not as I do”. The SS spearheads alot of breaches and though I don’t personally know how they handle alot of the breach interviews, but any finger pointing will be with less Oooomph as they too have fallen victim to a breach. The organization has to save face, and over time this will be forgotten about. but for now, I sense there will be a lynch mob out, although the motive my be for other than the loss of tapes.
An Agency like this isn’t going to reveal a breach like this overnight. There are reasons for this. Especially if it has informant data on it. The enemies of the Secret Service would have put a bounty on these tapes and used the data to their advantage and made the breach ALOT worse than it is right now. Peoples’ lives could have – or could still be – at stake.
My guess is one of two things. Some one found them, sold them to a adp style shop for a few bucks. They were probably overwritten and are still being used, but the original data is purged.
The other possibility is they are in a junk drawer in some lost and found file cabinet, or were tossed by workers cleaning up the train at the end of the day. Heck, they could have been auctioned off, or whatever. Though I am not a true betting man, odds are- after all this time, that they were destroyed.
Lets hope for the best. =\