Guest editorial by Paul Roberts
In a weird kind of synchronicity, two stories recently have raised the specter of discarded (not merely misplaced) hard drives as the source of considerable consternation and legal wrangling. In the most serious incident, the Inspector General of the National Archives and Records Administration (NARA) launched an investigation into a potential data breach that could expose the personal information and health records of up to 70 million veterans.
The issue that exposed the information began with a broken hard drive, one that had been part of a RAID (redundant array of independent disks) system of drives on which data was stored from an Oracle database with the social security numbers and health records of 76 million veterans, dating back to 1972. The database powered the system eVetRecs, a portal used by veterans to access health records and discharge papers. The drive in question failed in November 2008 and was sent back to the contractor from which NARA had bought the drive. When the contractor determined the drive couldn’t be fixed it was sent on to another firm for recycling. The problem, here, is that the unencrypted drive was sent away before the information on it was properly erased. Hank Bellomy, a NARA IT manager, reported the potential breach to NARA’s inspector general after trying to subvert the agency’s recycling policy by hiding the broken drive in his safe. Bellomy has since been put on long-term leave.
While no security polices were broken at the time, NARA has since changed its recycling policy and will no longer return drives once they are deemed defective. Still, one has to wonder at the careless disposal of personal information by the agency responsible for our records, especially since the security risk posed by discarded drives is no new revelation. Researchers have been warning about it for years. Technologist Simson Garfinkel famously exposed the problem of careless data loss through discarded drives in an article [pdf] for IEEE Security & Privacy back in 2003. Garfinkel’s article documented inadvertent loss through discarded PCs going back as far as 1997. Since then, countless reporters have repeated his experiment: trolling eBay or local transfer stations for discarded PCs, only to take them home, plug them in and find tax returns, medical records, family photos and other sensitive information cast to the (virtual) winds. In fact, the most recent IG’s report wasn’t the first time NARA has mishandled its electronic records; in March 2009 a hard drive containing copies of records from the Executive Office of the President covering the Clinton administration. Both incidents call to mind the breach in 2006 when a Veteran’s Affairs laptop went missing, exposing some 26 million veteran’s personal information. The laptop was later recovered, with the personal information intact. A lawsuit over the breach was settled earlier this year for $20m.
The other data point, for those of us in the Boston area, is an ongoing drama at City Hall over the loss of some potentially “hot” e-mail messages from an advisor to Mayor Thomas Menino (who, btw, is in the midst of a re-election campaign.) As the Boston Globe reported today, a hard drive belonging to Mayoral aide Michael J. Kineavy has been recovered that may contain months of e-mail exchanges requested in an freedom of information request filed by the Globe. The drive had been replaced by IT staff at City Hall after Kineavy complained the drive was running slowly — a request made just days after receiving the Globe’s FOIA request. (Shocker.) Not only was the City’s handling of that request botched, but the article goes on to state that Kineavy’s replacement laptop had, itself, been repurposed from a “law department employee” and still contained e-mails from that individual, which then showed up on an outside forensic audit by a firm hired by the City. Boston could get stuck with hundreds of thousands of dollars in bills for a forensic search to recover Kineavy’s lost e-mail (he was a habitual “double deleter” we learn), but the Mayor’s Office and City of Boston will still emerge from this smelling pretty bad, even if the sensitive information is recovered.
Long and short: three years after the VA controversy blew up, there’s still a vast gulf between popular awareness of data breach and the practical reality of managing IT infrastructure, with even closely scrutinized organizations playing fast and loose with data security and proper data destruction policies.
* Paul Roberts is a senior security analyst for enterprise security at The 451 Group. Lauren Eckenroth, research associate at The 451 Group, also contributed to this article.