A breach that hits home with 2008 presidential candidates

Technorati Tag:

Date Reported:
3/20/08

Organization:
U.S. Government

Contractor/Consultant/Branch:
U.S. Department of State
Stanley, Inc.
The Analysis Corporation

Victims:
United States passport applicants

Number Affected:
Unknown*

*Prominent political figures such as Barack Obama, Hillary Clinton and John McCain were all affected.  It is expected and assumed that there are more affected individuals, but due to the sensational nature of events, the full extent of the breach is not known.

Types of Data:
"It is not clear whether the employees saw anything other than the basic personal data such as name, citizenship, age, Social Security number and place of birth, which is required when a person fills out a passport application."

Breach Description:
"The passport files of all three major presidential candidates were breached by unauthorized searches by four employees, the State Department said yesterday, prompting apologies from Secretary of State Condoleezza Rice, outrage from the candidates and calls by lawmakers for further probes."

Reference URL:
MSNBC News Story

Stanley, Inc. Official Company Statement
Statement from The Analysis Corporation

Report Credit:
Associated Press, posted to The Breach Blog through the kind urging of an informed reader

Response:
From the online sources cited above:

State Department employees snooped through the passport files of three presidential candidates — Sens. Barack Obama, Hillary Rodham Clinton and John McCain — and the department's inspector general is investigating.
[Evan] The Inspector General job is still vacant.  Would you want this job?  If so, you may have to call them.  I don't see a job description or a posting on Monster.com.



State Department spokesman Sean McCormack said the violations of McCain and Clinton's passport files were not discovered until Friday, after officials were made aware of the unauthorized access of Obama's records and a separate search was conducted.
[Evan] Are we safe to assume that the unauthorized access to McCain and Clinton's passport files would have gone unnoticed without the discovery of the Obama access?

The incidents raise questions as to whether the information was accessed for political purposes and why two contractors involved in the Obama search were dismissed before investigators had a chance to interview them.

McCormack said one of the individuals who accessed Obama's files also reviewed McCain's file earlier this year. This contract employee has been reprimanded, but not fired. The individual no longer has access to passport records, he said.

"I can assure you that person's going to be at the top of the list of the inspector general when they talk to people, and we are currently reviewing our (disciplinary) options with respect to that person," McCormack said.

Secretary of State Condoleezza Rice spoke with all three candicates on Friday and expressed her regrets.

After speaking with Obama, Rice told reporters: "I told him that I was sorry, and I told him that I myself would be very disturbed."

"None of us wants to have a circumstance in which any American's passport file is looked at in an unauthorized way," said Secretary of State Condoleezza Rice as she offered apologies to the candidates.

The State Department said the Justice Department would be monitoring the probe in case it needs to get involved.

In Clinton's case, an individual last summer accessed her file as part of a training session involving another State Department worker. McCormack said the one-time violation was immediately recognized and the person was admonished.
[Evan] As part of a training session?  What the….?  Is it common practice to train employees/contractors with live confidential information?  Bad.

Obama's records were accessed without permission on three separate occasions — Jan. 9, Feb. 21 and as recently as last week, on March 14.

McCain, who was in Paris on Friday, said any breach of passport privacy deserves an apology and a full investigation.
"The United States of America values everyone's privacy and corrective action should be taken," he said.
[Evan] Yes, especially when it is your own privacy!

Aside from the file, the information could allow critics to dig deeper into the candidates' private lives. While the file includes date and place of birth, address at time of application and the countries the person has traveled to, the most important detail would be their Social Security number, which can be used to pull credit reports and other personal information.

The violations were detected by internal State Department computer checks because certain records, including those of high-profile people, are "flagged" with a computer tag that tips off supervisors when someone tries to view the records without a proper reason.
[Evan] Excellent.  It is good practice to log access attempts (successful and not) to confidential information.  Of course you need to identify confidential information and classify it first, which is a huge challenge in a vast majority of companies.  I think the government does a pretty good job of data classification however.

Former Independent Counsel Joseph diGenova said the firings of the contract employees will make the investigation more difficult because the inspector general can't compel them to talk.
[Evan] We have ways of making you talk!  Seriously though.  With all the resources at the disposal of the United States government, do you really think that officials won't be able to conduct a thorough investigation?  Whether they will or not, or whether any details become public is another story.

Two companies that provide workers for the State Department say they fired or otherwise punished those who improperly accessed the passport records of the three major presidential candidates.

Stanley Inc., based in Arlington, Va., and The Analysis Corp., or TAC, of McLean, Va., said Friday that their employees' actions were unauthorized and not consistent with company policies.

Just this week, Stanley won a five-year, $570 million government contract extension to support passport services.

"When you have not just one but a series of attempts to tap into people's personal records, that's a problem not just for me but for how our government functions," Obama told reporters while campaigning in Portland, Ore. "I expect a full and thorough investigation. It should be done in conjunction with those congressional committees that have oversight function so it's not simply an internal matter."

From the Stanley, Inc. Official Company Statement:
Stanley manages more than 1,800 personnel including subcontractor personnel nationwide on contracts
assisting Department of State and other contract employees with production of over 18 million passports
annually.
[Evan] 18,000,000+ passports annually!  We already know that there are trust issues with these four (both Stanley and TAC) contractors, does the potential exist for a breach of 18,000,000 records?  Is the risk significant?

Prior to employment, Stanley and its subcontractor candidates undergo several background checks, including security and credit checks. Candidates are also subjected to a Government-sponsored background check. In addition, candidates receive training on the Privacy Act and are required to sign a Privacy Act acknowledgement prior to starting employment. This acknowledgement, among other items, indicates that any employee who knowingly obtains access to information under false pretense is subject to immediate dismissal and both civil and criminal prosecution.
[Evan] Obviously, some people don't care.

While this is a rare occurrence, we regret the unauthorized access of any individual's private information.  Two Stanley subcontractor employees were involved in the unauthorized access of Senator Barack Obama’s passport files. In each of these instances the employee was terminated the day the unauthorized search occurred.

At this time we are unaware of the involvement of any Stanley or subcontractor employees in the unauthorized searches of Senator John McCain’s or Senator Hillary Clinton’s passport files.

From the "Statement from The Analysis Corporation":
Late this morning, representatives of the Department of State informed The Analysis Corporation (TAC) for the first time that one of the individuals who had been detected inappropriately accessing passport files of prominent political figures was a TAC employee. The individual was working on contract at the Department of State.

This individual's actions were taken without the knowledge or direction of anyone at TAC and are wholly inconsistent with our professional and ethical standards.
[Evan] Classic attempt by the company to separate themselves from the incident in question.  I hope that this is an obvious statement.

TAC has an exemplary record of supporting the Department of State and other elements of the U.S. Government for close to two decades. We are fully cooperating with the Department of State in its investigation. Specifically, we have honored the Department's request to delay taking any administrative action related to the employment of the individual in order to give the Department's Office of the Inspector General the opportunity to conduct its investigation.

We deeply regret that the incident occurred and believe it is an isolated incident.
[Evan] What are the chances of four contractors from two independent contracting companies accessing confidential information while on contract at the same organization?  Isolated?  Maybe, maybe not.

Commentary:
Well, now information security (and privacy) hits home with some very powerful people.  This will almost certainly spur changes.  More so than when "commoners" were the ones affected.

I am concerned that these series of reported incidents are part of a bigger problem at the Department of State. It's probably unlikely that someone is going steal Barack Obama's identity (do you think he will get the standard one year of free identity theft protection? [heh]).  Employees and the risks involved with their identity and access management are some of the most challenging issues to deal with as an information security professional.  Employees need a certain amount of access in order to perform tasks, but how do you detect when an employee decides to use their "legitimate" access for purposes outside of the scope of their duties?  You maybe able to detect when they "do" abuse access rights, but how could you detect when they "decide" to?

Past Breaches:
Unknown


 
Trackbacks
  • No trackbacks exist for this post.
Comments
Page: 1 of 1
  • 3/23/2008 9:57 AM Scott Wright wrote:
    This is an interesting story with many angles. In my article (see link above), I take a look at the assumption that contractors are somehow less trustworthy than Full-Time Employees. Is it so?
    Reply to this
    1. 3/24/2008 8:23 AM Evan Francen wrote:
      This is a very good question with an answer that is very hard to measure. 

      My gut feelings are no, contractors are not less trustworthy than full-time employees.  I can recall just as many dishonest full-time employees as I can contractors in my experience.  The security issues of contractors AND full-time employees should be governed by onboarding and separation procedures and processes.  I have consulted plenty of companies that do not have a policy/procedures around these issues.  Many of them assume that the contracting company does the necessary background checks, interviews and evaluations.  Companies should approach the hiring of contractors and full time employees in much the same way, so as to avoid gaps and make the question you pose moot in some respects.  Companies need to be intimately involved in the evaluation of contractors. 

      Reply to this

Page: 1 of 1
    Leave a comment