RealTime IT News

Another Government Security Breach

This time it isn't a stolen laptop. This time it's what security people fear the most: a system hack.

According to the U.S. Department of Agriculture (USDA), unknown hackers may have illegally accessed a USDA database containing the names, Social Security numbers and photos of current and former agency employees.

The USDA said approximately 26,000 Washington, D.C., area employees are potentially at risk for identity theft. The USDA is providing one year of free credit monitoring to those affected by the intrusion.

The hack occurred during the first weekend of June. USDA Secretary Mike Johanns found out about the intrusion on June 6. The USDA said Johanns was told at that time that no personal identity information was at risk.

However, further forensic analysis revealed that it was "uncertain" whether employee personal data was adequately protected during the hack, prompting Johanns to issue a public notice of the intrusion.

"The compromised system was taken offline and put on a new server," Ed Loyd, a spokesman for the USDA, told internetnews.com. "We don't know yet who was responsible or how the system was compromised."

Loyd said the USDA had not determined if the compromised data had been "downloaded," but the agency has an ongoing investigation under way.

"It sounds like they had some level of security on the path, but they didn't have anything on the data itself. That's egregious," Gordon Rapkin, president and CEO of security firm Protegrity, told internetnews.com.

"Just because the bank locks the doors at night it doesn't mean they lock the vault."

Paul Kurtz, executive director of the Cyber Security Industry Alliance (CSIA), added, "From our view, this is yet another incident of not taking security seriously. It seems like there's a breach a day in the government."

The latest breach at the USDA -- which has scored an F for five straight years on the federal computer report card grades issued by the House Government Reform Committee -- follows breaches at the Veterans Administration (VA) and the Federal Trade Commission (FTC).

Earlier this week, the FTC admitted two laptops containing the personal information of 110 people were stolen.

And in May, the VA, which has received an F in four of the last five years on the annual report cards, reported the second-largest security breach on record. An employee's stolen laptop put more than 26 million veterans at risk of identity theft.

As in the USDA case, both the VA and the FTC is offering free credit monitoring for affected persons. The Senate Appropriations Committee has earmarked $160 million to cover the cost of the VA's credit monitoring obligations.

"The cost of the remedy is so far in excess of what it would have cost to put in protection," Rapkin said. "It's a horrible waste of funds."

In the private sector, Rapkin noted, if a merchant consistently scored F's on a security check, the cost and liability of a breach would be shifted to the merchant.

Rapkin added the government should reconsider its "entire policy for spending on prevention."

The CSIA's Kurtz agreed.

"There needs to be senior-level involvement in reviewing and enforcing security policies for government agencies," he said. "There needs to be greater accountability."

Congress is considering a number of data protection and public breach notice laws. In most of the bills, companies and government agencies would be exempted from disclosure requirements if they encrypt their data.

"There ought to be an assumption that data is encrypted when it is at rest or in transit," Kurtz said. "With encryption, a stolen laptop is simply a stolen laptop."