Monday Morning News Kick Off: 500 Million Sensitive Records Breached Since 2005; Worst U.S. Military Breach and Much More

Written on August 29, 2010 – 5:45 am | by Jasmine Haller

Welcome to the Monday Morning Kick Off post from the ITAC blog. As our every faithful readers know, we aim to provide the most comprehensive compilation of identity theft, data breach and cyber security stories you need to start the work week. Did you know that 500 million sensitive records have been breached in the past 5 years? Neither did we, and as shocking as it may be, it is not too surprising. Read about this and much more in our kick off post for the week of August 30. Happy Monday.

500 Million Sensitive Records Breached Since 2005 Employees losing laptop computers, hackers downloading credit card numbers and sensitive personal data accidentally exposed online — the Chronology of Data Breaches shows hundreds of ways that the personal information of consumers is lost, stolen or exposed. The Chronology of Data Breaches, a project of the Privacy Rights Clearinghouse since 2005, lists incidents involving breached consumer information, such as personal medical records, credit card numbers and Social Security numbers. The most recent total, published August 24, 2010, is a wake-up call to consumers who think identity theft can’t happen to them.

Bad Flash Drive Caused Worst U.S. Military Breach A malware-laden flash drive inserted in a laptop at a U.S. military base in the Middle East in 2008 led to the “most significant breach of” the nation’s military computers ever, according to a new magazine article by a top defense official. The malware uploaded itself to the U.S. Central Command network and spread undetected on classified and unclassified computers creating a “digital beachhead, from which data could be transferred to servers under foreign control,” William J. Lynn III, U.S. deputy secretary of defense, wrote in his essay in the September/October issue of Foreign Affairs.

Closing The Cybersecurity Gap In Government Across the federal government, agencies are grappling with a shortage of cybersecurity pros who have the skills to protect their computers and networks from relentless, and increasingly dangerous, forms of attack. The Department of Homeland Security and the Air Force received authority to expedite the hiring of almost 1,700 cybersecurity pros over the next two years, but fast-track hiring is a stopgap solution. The long-term answer requires new training programs and better ways of attracting and retaining employees with the sought-after skills. At a recent cybersecurity workforce conference at the National Institute for Standards and Technology’s offices in Gaithersburg, Md., chief information security officers and other government IT managers identified a range of related issues: a confusing morass of certifications; HR processes that identify candidates based on buzzwords, not bona fide experience; drawn-out hiring and security-clearance processes; federal mandates that push unqualified people to the front of the hiring line; and competition with the private sector for job candidates.

U.S. Cyber-security Leads Week in Security News U.S. cyber-security was in the spotlight this past week when a senior Pentagon official confirmed an infected flash drive caused the “most significant breach of U.S. military computers ever.” Deputy Secretary of Defense William Lynn III discussed the 2008 incident in an article for Foreign Affairs magazine. “That code spread undetected on both classified and unclassified systems, establishing what amounted to a digital beachhead, from which data could be transferred to servers under foreign control,” Lynn writes. “It was a network administrator’s worst fear: a rogue program operating silently, poised to deliver operational plans into the hands of an unknown adversary.”

Data Breach at U-Kentucky The University of Kentucky is notifying 2,207 individuals following the theft of a laptop with information from a newborn screening program. The password-protected, unencrypted laptop was stored in a locked, private room. Data on the device included patient and mother names, medical record numbers, date of birth, diagnosis, and some Social Security numbers of mothers. The laptop was stolen between June 18 and June 21. Following investigations, the University posted a public notice on its UKHealthCare web site on Aug. 19.

Identity Theft Protection Services