Half of USAF Officers Exposed To Identity Theft

The US Air Force has joined the long list of outfits that carelessly allowed hackers to access sensitive personal data. As many as 33,000 officers -- half of the entire active duty officer corps, including intelligence officers, pilots, and nuclear missile crews -- had their personnel files stolen by a brazen hacker. At least some of the thefts were allowed to happen by USAF computer security officers, hoping to catch the thief.

All the officers have been notified by now. Unfortunately, such items as social security numbers and children's names, now in the hands of unknown criminals, can't really be changed. So far, there have been no cases of identity theft reported to AIr Force officials, and the database, while containing extensive information about the officers, didn't have one thing such thieves are always looking for -- their credit card or bank account information.

The hacker was using a legitimate user's login and password on the system. Indeed, Air Force security officials first discovered that one users was loading "a lot of these records... it was very uncharacteristic," Maj. Gen. Anthony F. Przybyslawski told MSNBC.

Przybyslawski's signature was on a letter to Air Force officers admitting the security breach and alerting them to the possibility of ID theft.

They're not even sure when the thefts began. June, maybe. Or May. Who knows?

"We are conducting a wall-to-wall review of our personnel-related data systems to maximize the security of the systems," Przybyslawski wrote to the victims on Friday. Good thing they decided to maximize the security of the systems before, uh... never mind.

There are some mitigating factors. As Przybyslawski pointed out, there's been no identifiable identity theft stemming from this breach, yet. And the Air Force has a tough job, trying to manage personnel systems for hundreds of thousands of disparate people scattered to the ends of the earth.

The military, which does OK most of the time keeping classified information, nukes, and other deadly weapons under lock and key, has a poor record with computer security. Most military servers run Windows, which is notorious for its security holes, and requires crackerjack administration. But most servers are maintained by junior enlisted personnel with very little training, or do-more-with-less contractors.

On top of that, the military is very fond of very complex, hard-to-memorize, and frequently changing passwords. While in theory this is good for security, in practice it's bad: the users write the passwords down, often on a desk blotter or on a Post-It note stuck on their computer monitor.

FMI: www.af.mil