Half of USAF Officers Exposed To Identity Theft
The US Air Force has
joined the long list of outfits that carelessly allowed hackers to
access sensitive personal data. As many as 33,000 officers -- half
of the entire active duty officer corps, including intelligence
officers, pilots, and nuclear missile crews -- had their personnel
files stolen by a brazen hacker. At least some of the thefts were
allowed to happen by USAF computer security officers, hoping to
catch the thief.
All the officers have been notified by now. Unfortunately, such
items as social security numbers and children's names, now in the
hands of unknown criminals, can't really be changed. So far, there
have been no cases of identity theft reported to AIr Force
officials, and the database, while containing extensive information
about the officers, didn't have one thing such thieves are always
looking for -- their credit card or bank account information.
The hacker was using a legitimate user's login and password on
the system. Indeed, Air Force security officials first discovered
that one users was loading "a lot of these records... it was very
uncharacteristic," Maj. Gen. Anthony F. Przybyslawski told
MSNBC.
Przybyslawski's signature was on a letter to Air Force officers
admitting the security breach and alerting them to the possibility
of ID theft.
They're not even sure when the thefts began. June, maybe. Or
May. Who knows?
"We are conducting a wall-to-wall review of our
personnel-related data systems to maximize the security of the
systems," Przybyslawski wrote to the victims on Friday. Good thing
they decided to maximize the security of the systems before, uh...
never mind.
There are some
mitigating factors. As Przybyslawski pointed out, there's been no
identifiable identity theft stemming from this breach, yet. And the
Air Force has a tough job, trying to manage personnel systems for
hundreds of thousands of disparate people scattered to the ends of
the earth.
The military, which does OK most of the time keeping classified
information, nukes, and other deadly weapons under lock and key,
has a poor record with computer security. Most military servers run
Windows, which is notorious for its security holes, and requires
crackerjack administration. But most servers are maintained by
junior enlisted personnel with very little training, or
do-more-with-less contractors.
On top of that, the military is very fond of very complex,
hard-to-memorize, and frequently changing passwords. While in
theory this is good for security, in practice it's bad: the users
write the passwords down, often on a desk blotter or on a Post-It
note stuck on their computer monitor.