The Naval Surface Warfare Center warns employees
Technorati Tag: Security Breach
Date Reported:
1/11/08
Organization:
United States Navy
Contractor/Consultant/Branch:
Naval Surface Warfare Center Dahlgren Division (NSWCDD)*
*Dahlgren is a weapons-system research and test center for the Navy. About 2,800 civilian federal workers and another 3,000 civilian contractors work at the base on the Potomac River.
Victims:
"current and former federal employees who worked at the Naval Bases in Dahlgren, Va., Silver Spring, Md., and Panama City, Fla., on or before July 7, 1994"
Number Affected:
10,000**
**"Dahlgren Division spokesman Russ Coons said it is possible that about 10,000 employees could be affected", Source: www.inrich.com/cva/ric/news.apx.-content-articles-RTD-2008-01-15-0194.html
Types of Data:
Names, Social Security numbers, dates of birth, job titles, salary and employment information
Breach Description:
Officials at the Naval Surface Warfare Center Dahlgren Division were made aware of a breach involving personal information belonging to current and former employees after a criminal attempted to purchase a big-screen television at a Sears store in Pennsylvania using the stolen information. One of the four suspects arrested in the attempted theft had two pages of a NSWCDD 1994 report in their possession that contained names, Social Security numbers, birth dates, job titles, salary and employment information.
Reference URL:
Official NSWCDD Press Release Online
Times-Dispatch News Story
Report Credit:
The Naval Surface Warfare Center Dahlgren Division
Response:
From the online sources cited above:
The Naval Surface Warfare Center Dahlgren Division is contacting all current and former federal employees who worked at the Naval Bases in Dahlgren, Va., Silver Spring, Md., and Panama City, Fla., on or before July 7, 1994, to warn of potential identity theft and to urge them to contact their creditor bureaus in the wake of a reported attempt to illegally obtain a credit card using an employee’s personal information.
NSWCDD officials were notified on Jan. 8 that four individuals had been arrested in Bensalem Township, Pa., on Jan. 5, 2008, for attempted identity fraud.
police in Bensalem Township, Pa., outside Philadelphia, informed a Dahlgren employee that someone was about to use his credit card to buy a big-screen TV at Sears.
[Evan] It adds a level of concern when it is known that the information is being actively used to commit fraud. It took awareness and good work to catch the four suspects in the identity fraud case.
They had in their possession two pages of a hard copy report dated July 7, 1994, containing personally identifiable information (PII) – names, social security numbers and dates of birth – of nearly 100 individuals with the last name beginning with “B.”
The employees could have been assigned to work within NSWCDD, at one of the following: Naval Facilities Command (NAVFAC), NSWC Dahlgren, NSWC White Oak, Md., NSWC Panama City, Fla., Joint Warfare Analysis Center (JWAC), Naval Space Command and the Aegis Training and Readiness Center (ATRC) or any of their detachments.
Dahlgren Division spokesman Russ Coons said it is possible that about 10,000 employees could be affected.
A call center has been established at 1-, Monday through Friday from 8 a.m. until 4 p.m., to answer employees’ questions and provide additional guidance on reporting and protecting against potential identity theft.
Current or former Navy civilian employees who have experienced recent identity fraud are urged to call this number as well as notify their local authorities.
Current employees were notified of the incident on Jan. 10 through an All Hands e-mail and urged to take action to safeguard their identity. The message is currently posted to the NSWCDD internal website.
At this time, NSWCDD has no information as to how the individual(s) came to be in possession of this hard copy report. The compromise of personal identity was immediately reported to all appropriate law enforcement authorities and is currently under Secret Service investigation.
[Evan] Hopefully it will be found that one of the four individuals stole the information themselves. If the information were bought from "the stolen information black market" (yes, it exists), then this could get worse before it gets better.
It is unknown whether any additional pages of the report have been compromised. Therefore, all persons employed by NSWCDD or a tenant command on or before July 7, 1994, are advised to take action to protect against any potential identity theft.
Recommended actions endorsed by the Federal Trade Commission (FTC) are available at:
www.ftc.gov/bcp/edu/microsites/idtheft/
www.usdoj.gov/criminal/fraud/websites/idtheft.html
www.ssa.gov/pubs/idtheft.htm
NSWCDD follows the Department of the Navy’s policy for disposing of documents containing privacy act data. NSWCDD disposal processes are in place for rendering Personally Identifiable Information (PII) unrecognizable or beyond reconstruction. Documents containing PII are shredded when no longer needed.
[Evan] I imagine that the Department of the Navy's data disposal policy is well-written. Following policy approval comes training, awareness and enforcement.
NSWCDD and the Department of Navy take this incident very seriously. Current policies and practices will be reviewed to determine if any changes are necessary to preclude a similar occurrence in the future.
Commentary:
This is an interesting story. I can't recall a time when an identity fraudster was caught with pages of stolen information in their possession. I have many unanswered questions about this breach.
Overall, I like the NSWCDD's response to the breach. The response pointed out one very important facet of information security, data destruction. I am currently writing a Data Destruction and Re-Use Standard for a company I work for.
From the Introduction section of the standard:
The purpose of the %Company% Data Destruction and Re-Use Standard document is to describe the requirements surrounding the authorized destruction of %Company% data. This document details the specific settings necessary to conform to SP1. Data Classification Policy, which is in turn part of the greater %Company% Corporate Information Security Policy.
Past Breaches:
Unknown
Date Reported:1/11/08
Organization:
United States Navy
Contractor/Consultant/Branch:
Naval Surface Warfare Center Dahlgren Division (NSWCDD)*
*Dahlgren is a weapons-system research and test center for the Navy. About 2,800 civilian federal workers and another 3,000 civilian contractors work at the base on the Potomac River.
Victims:
"current and former federal employees who worked at the Naval Bases in Dahlgren, Va., Silver Spring, Md., and Panama City, Fla., on or before July 7, 1994"
Number Affected:
10,000**
**"Dahlgren Division spokesman Russ Coons said it is possible that about 10,000 employees could be affected", Source: www.inrich.com/cva/ric/news.apx.-content-articles-RTD-2008-01-15-0194.html
Types of Data:
Names, Social Security numbers, dates of birth, job titles, salary and employment information
Breach Description:
Officials at the Naval Surface Warfare Center Dahlgren Division were made aware of a breach involving personal information belonging to current and former employees after a criminal attempted to purchase a big-screen television at a Sears store in Pennsylvania using the stolen information. One of the four suspects arrested in the attempted theft had two pages of a NSWCDD 1994 report in their possession that contained names, Social Security numbers, birth dates, job titles, salary and employment information.
Reference URL:
Official NSWCDD Press Release Online
Times-Dispatch News Story
Report Credit:
The Naval Surface Warfare Center Dahlgren Division
Response:
From the online sources cited above:
The Naval Surface Warfare Center Dahlgren Division is contacting all current and former federal employees who worked at the Naval Bases in Dahlgren, Va., Silver Spring, Md., and Panama City, Fla., on or before July 7, 1994, to warn of potential identity theft and to urge them to contact their creditor bureaus in the wake of a reported attempt to illegally obtain a credit card using an employee’s personal information.
NSWCDD officials were notified on Jan. 8 that four individuals had been arrested in Bensalem Township, Pa., on Jan. 5, 2008, for attempted identity fraud.
police in Bensalem Township, Pa., outside Philadelphia, informed a Dahlgren employee that someone was about to use his credit card to buy a big-screen TV at Sears.
[Evan] It adds a level of concern when it is known that the information is being actively used to commit fraud. It took awareness and good work to catch the four suspects in the identity fraud case.
They had in their possession two pages of a hard copy report dated July 7, 1994, containing personally identifiable information (PII) – names, social security numbers and dates of birth – of nearly 100 individuals with the last name beginning with “B.”
The employees could have been assigned to work within NSWCDD, at one of the following: Naval Facilities Command (NAVFAC), NSWC Dahlgren, NSWC White Oak, Md., NSWC Panama City, Fla., Joint Warfare Analysis Center (JWAC), Naval Space Command and the Aegis Training and Readiness Center (ATRC) or any of their detachments.
Dahlgren Division spokesman Russ Coons said it is possible that about 10,000 employees could be affected.
A call center has been established at 1-, Monday through Friday from 8 a.m. until 4 p.m., to answer employees’ questions and provide additional guidance on reporting and protecting against potential identity theft.
Current or former Navy civilian employees who have experienced recent identity fraud are urged to call this number as well as notify their local authorities.
Current employees were notified of the incident on Jan. 10 through an All Hands e-mail and urged to take action to safeguard their identity. The message is currently posted to the NSWCDD internal website.
At this time, NSWCDD has no information as to how the individual(s) came to be in possession of this hard copy report. The compromise of personal identity was immediately reported to all appropriate law enforcement authorities and is currently under Secret Service investigation.
[Evan] Hopefully it will be found that one of the four individuals stole the information themselves. If the information were bought from "the stolen information black market" (yes, it exists), then this could get worse before it gets better.
It is unknown whether any additional pages of the report have been compromised. Therefore, all persons employed by NSWCDD or a tenant command on or before July 7, 1994, are advised to take action to protect against any potential identity theft.
Recommended actions endorsed by the Federal Trade Commission (FTC) are available at:
www.ftc.gov/bcp/edu/microsites/idtheft/
www.usdoj.gov/criminal/fraud/websites/idtheft.html
www.ssa.gov/pubs/idtheft.htm
NSWCDD follows the Department of the Navy’s policy for disposing of documents containing privacy act data. NSWCDD disposal processes are in place for rendering Personally Identifiable Information (PII) unrecognizable or beyond reconstruction. Documents containing PII are shredded when no longer needed.
[Evan] I imagine that the Department of the Navy's data disposal policy is well-written. Following policy approval comes training, awareness and enforcement.
NSWCDD and the Department of Navy take this incident very seriously. Current policies and practices will be reviewed to determine if any changes are necessary to preclude a similar occurrence in the future.
Commentary:
This is an interesting story. I can't recall a time when an identity fraudster was caught with pages of stolen information in their possession. I have many unanswered questions about this breach.
Overall, I like the NSWCDD's response to the breach. The response pointed out one very important facet of information security, data destruction. I am currently writing a Data Destruction and Re-Use Standard for a company I work for.
From the Introduction section of the standard:
The purpose of the %Company% Data Destruction and Re-Use Standard document is to describe the requirements surrounding the authorized destruction of %Company% data. This document details the specific settings necessary to conform to SP1. Data Classification Policy, which is in turn part of the greater %Company% Corporate Information Security Policy.
Past Breaches:
Unknown
Posted by Evan Francen at 1/16/2008 9:44 AM 
Categories: Naval Surface Warfare Center Dahlgren, Unknown, United States Navy
Categories: Naval Surface Warfare Center Dahlgren, Unknown, United States Navy
Posts Atom 1.0
The head of Information Security at Dahlgren teaches fundamentals of infosec for SANS.
Reply to this
Excellent! Assuming that what is practiced is what is taught (which I am sure it is), then I would also assume that information security is well in hand at Dahlgren.
For readers that aren't aware of "SANS", the SANS (SysAdmin, Audit, Network, Security) Institute is a very well respected information security research and education organization created and run by pioneers in the field. Dr. Eric Cole is one of my favorite instructors there. If you get a chance to attend one of his classes, I would recommend it. Stephen Northcutt is the founder of the SANS GIAC certification and is the current president. Stephen is a true pioneer in the art of network traffic analysis and intrusion detection. His book "Intrusion Signatures and Analysis" was a must read for me earlier in my career.
Reply to this