Security Risk: The Device Formerly Known as Your Hard Drive

Guest editorial by Paul Roberts  In a weird kind of synchronicity, two stories recently have raised the specter of discarded (not merely misplaced) hard drives as the source of considerable consternation and legal wrangling. In the most serious incident, the Inspector General of the National Archives and Records Administration (NARA) launched an investigation into a potential data breach that could expose the personal information and health records of up to 70 million veterans.

Guest editorial by Paul Roberts 

In a weird kind of synchronicity, two stories recently have raised the specter of discarded (not merely misplaced) hard drives as the source of considerable consternation and legal wrangling. In the most serious incident, the Inspector General of the National Archives and Records Administration (NARA) launched an investigation into a potential data breach that could expose the personal information and health records of up to 70 million veterans.

The issue that exposed the information began with a broken hard drive, one that had been part of a RAID (redundant array of independent disks) system of drives on which data was stored from an Oracle database with the social security numbers and health records of 76 million veterans, dating back to 1972. The database powered the system eVetRecs, a portal used by veterans to access health records and discharge papers. The drive in question failed in November 2008 and was sent back to the contractor from which NARA had bought the drive. When the contractor determined the drive couldn’t be fixed it was sent on to another firm for recycling. The problem, here, is that the unencrypted drive was sent away before the information on it was properly erased.  Hank Bellomy, a NARA IT manager, reported the potential breach to NARA’s inspector general after trying to subvert the agency’s recycling policy by hiding the broken drive in his safe. Bellomy has since been put on long-term leave.

While no security polices were broken at the time, NARA has since changed its recycling policy and will no longer return drives once they are deemed defective. Still, one has to wonder at the careless disposal of personal information by the agency responsible for our records, especially since the security risk posed by discarded drives is no new revelation. Researchers have been warning about it for years. Technologist Simson Garfinkel famously exposed the problem of careless data loss through discarded drives in an article [pdf] for IEEE Security & Privacy back in 2003. Garfinkel’s article documented inadvertent loss through discarded PCs going back as far as 1997. Since then, countless reporters have repeated his experiment: trolling eBay or local transfer stations for discarded PCs, only to take them home, plug them in and find tax returns, medical records, family photos and other sensitive information cast to the (virtual) winds. In fact, the most recent IG’s report wasn’t the first time NARA has mishandled its electronic records; in March 2009 a hard drive containing copies of records from the Executive Office of the President covering the Clinton administration. Both incidents call to mind the breach in 2006 when a Veteran’s Affairs laptop went missing, exposing some 26 million veteran’s personal information. The laptop was later recovered, with the personal information intact. A lawsuit over the breach was settled earlier this year for $20m.

The other data point, for those of us in the Boston area, is an ongoing drama at City Hall over the loss of some potentially “hot” e-mail messages from an advisor to Mayor Thomas Menino (who, btw, is in the midst of a re-election campaign.) As the Boston Globe reported today, a hard drive belonging to Mayoral aide Michael J. Kineavy has been recovered that may contain months of e-mail exchanges requested in an freedom of information request filed by the Globe. The drive had been replaced by IT staff at City Hall after Kineavy complained the drive was running slowly — a request made just days after receiving the Globe’s FOIA request. (Shocker.) Not only was the City’s handling of that request botched, but the article goes on to state that Kineavy’s replacement laptop had, itself, been repurposed from a “law department employee” and still contained e-mails from that individual, which then showed up on an outside forensic audit by a firm hired by the City. Boston could get stuck with hundreds of thousands of dollars in bills for a forensic search to recover Kineavy’s lost e-mail (he was a habitual “double deleter” we learn), but the Mayor’s Office and City of Boston will still emerge from this smelling pretty bad, even if the sensitive information is recovered.

Long and short: three years after the VA controversy blew up, there’s still a vast gulf between popular awareness of data breach and the practical reality of managing IT infrastructure, with even closely scrutinized organizations playing fast and loose with data security and proper data destruction policies.

* Paul Roberts is a senior security analyst for enterprise security at The 451 Group. Lauren Eckenroth, research associate at The 451 Group, also contributed to this article.

Suggested articles

Discussion

  • kserab on

    How does the City of Boston emerge, "smelling bad" from this when they've done more than was asked for by posting all of these emails on line for everyone to see -- Bill Galvin, Secretary of State who requested the emails has said all along that the City has been cooperative to all his requests.

     

    The Boston Globe on the other hand has created rumors that these emails are "hot."  There's nothing, no evidence anywhere, and no accusations by any credible sources that these emails contain anything pointing to wrong-doing on the City's part.

     

    There have been no charges or accusations of corruption by any legal authority, yet this continues to be a "scandal"? This is just another case of the media sensationalizing non-issues to distract the public from the real issues at hand.

     

    Also, the Boston Globe sat on this story for 2+ months -- when they FOIA'd the records earlier this year they never stated that what the city turned up was unsatisfactory until a week before the Preliminary Elections -- if this is really news, why didn't the Globe report it when they knew about it instead of use it as a distraction for voters?

  • Anonymous on

    Watch the video and read the testimony from the house oversight committee hearing held on 11/05/09. NARA has done it again only this time they leaked federal employee PII data. See Ben Bain's article from FCW.

    http://groc.edgeboss.net/wmedia/groc/informationpolicy/2009/11.05.09.ip.archives.wvx

    http://oversight.house.gov/index.php?option=com_content&task=view&id=4671&Itemid=29

    http://fcw.com/articles/2009/11/06/web-nara-it-security-problems.aspx?sc_lang=en

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.