Mystery surrounds State Department breach
Technorati Tag: Security Breach
Date Reported:
10/31/08
Organization:
U.S. Government
Contractor/Consultant/Branch:
U.S. Department of State
United States Postal Service
Location:
Washington, DC
Victims:
"passport applicants"
Number Affected:
"approximately 400"
Types of Data:
Data contained on passport applications, such as names, addresses, dates of birth, Social Security numbers, phone numbers, email addresses, mother's maiden name, etc.
Breach Description:
"The State Department has notified approximately 400 passport applicants in the D.C. area of a breach in its database security that allowed a ring of thieves to obtain confidential information so they could fraudulently use credit cards stolen from the mail, officials said."
Reference URL:
Washington Post (subscription)
Report Credit:
Glenn Kessler, Washington Post
Response:
From the online source cited above:
The State Department has notified approximately 400 passport applicants in the D.C. area of a breach in its database security that allowed a ring of thieves to obtain confidential information so they could fraudulently use credit cards stolen from the mail, officials said.
[Evan] The breach occurred many months ago (and may still be occurring). Are applicants just being notified now?
so far 400 individuals had been identified "whose records may have been accessed by the suspect for illicit purposes."
The scheme, involving two major government agencies, came to light months ago through a fluke.
[Evan] The two major government agencies being the US Postal Service and the US State Department.
On March 25, D.C. police officers on a routine patrol stopped a car on the suspicion that its windows were excessively tinted, an apparent violation of city law.
Smelling marijuana, the officers searched the car and discovered that the 24-year-old driver was carrying 21 credit cards not in his name and printouts of eight passport applications -- and that four of the names on the passport applications matched the names on four of the credit cards, according to documents filed in U.S. District Court.
[Evan] Finding out about the identity theft truly was a total fluke. All of the following had to be true; excessively tinted windows, smoking marijuana in the car, and storing the fraud-related information in the same car.
Upon his arrest, the driver, Leiutenant Q. Harris Jr., told police that he worked with a co-conspirator who was employed by the State Department and another co-conspirator who worked for the U.S. Postal Service, court documents said.
[Evan] I wonder if the identities of the co-conspirators are known by authorities.
Officers on the scene called American Express about some of the cards in Harris's possession, and were told that they had recently been used and that a fraud alert had been placed on them.
But the investigation was hampered because Harris was fatally shot while getting into his car in Northeast Washington on April 17, just days after appearing in court on fraud charges and shortly after he agreed to cooperate in the probe.
[Evan] The murder of Mr. Harris was reported by the Washington Post in "Man Fatally Shot in Northeast Had Been Charged in Fraud Case". According to the story, Mr. Harris "was shot several times at close range" and "faced a court hearing in June". According to Mr. Harris' mother, Cleopatria Harris is "absolutely sure" that her son was slain because of his involvement in the scam.
The [notification] letter informed recipients that the State Department would provide free credit monitoring for a year and would reimburse out-of-pocket expenses and lost wages resulting from identity theft.
[Evan] This is good for victims, but how effective is it really?
The criminal investigation has not been completed
"We are thoroughly examining every aspect of our information security systems and procedures to safeguard against unauthorized access of passport records." (Florence Fultz, the acting managing director of the State Department's Passport Services division)
[Evan] Hopefully, this is or becomes standard practice. We all need to regularly audit/test and assess our information security practices.
a[n anonymous] spokesman said the department has "undertaken a number of immediate and long-term measures to significantly improve the protection of personally identifiable information to include mandatory audits, an enhanced monitoring list, improved training and a revamped reporting system"
[Evan] Sounds impressive.
"In addition, we have formed a working group to develop long-term systems solutions to improve the security of these records such as a tiered access system to all passport records." (Anonymous spokesman)
the statement added, "to the best of our knowledge, most of these individuals have not experienced identify theft."
[Evan] The keyword is "most", understanding that some have. Unfortunately, those who haven't still face an increased risk.
Commentary:
This story is very interesting. A man gets pulled over for a tinted window violation. The man has marijuana in his possession. The police search the car and find stolen passport information and fraudulent credit cards among other things. The man spills the beans and starts to cooperate with officials. Man is murdered under suspicious circumstances. There is a whole bunch more to this story. Maybe a movie to follow.
As far as information security is concerned… The State Department stores some very sensitive information and a lot of it. According to the Washington Post, in July the State Department's inspector general "documented a widespread lack of controls on the personal data of the 127 million Americans who hold passports, finding "a general lack of policies, procedures, guidance and training." Policies, procedures, guidance and training are all basic information security principles. If an agency cannot or will not follow information security basics, how can we expect them to do anything?
Past Breaches:
U.S. Government:
March, 2008 - A breach that hits home with 2008 presidential candidates
March, 2008 - Laptop stolen from NHLBI contained personal health information
July, 2008 - Social Security Administration lists live people in the Death Master File
October, 2008 - Mailing error by FEMA contractor affects hurricane victims
U.S. Department of State:
March, 2008 - A breach that hits home with 2008 presidential candidates
United States Postal Service:
November, 2007 - USPS stolen laptop exposes 3,000 employees
Date Reported:10/31/08
Organization:
U.S. Government
Contractor/Consultant/Branch:
U.S. Department of State
United States Postal Service
Location:
Washington, DC
Victims:
"passport applicants"
Number Affected:
"approximately 400"
Types of Data:
Data contained on passport applications, such as names, addresses, dates of birth, Social Security numbers, phone numbers, email addresses, mother's maiden name, etc.
Breach Description:
"The State Department has notified approximately 400 passport applicants in the D.C. area of a breach in its database security that allowed a ring of thieves to obtain confidential information so they could fraudulently use credit cards stolen from the mail, officials said."
Reference URL:
Washington Post (subscription)
Report Credit:
Glenn Kessler, Washington Post
Response:
From the online source cited above:
The State Department has notified approximately 400 passport applicants in the D.C. area of a breach in its database security that allowed a ring of thieves to obtain confidential information so they could fraudulently use credit cards stolen from the mail, officials said.
[Evan] The breach occurred many months ago (and may still be occurring). Are applicants just being notified now?
so far 400 individuals had been identified "whose records may have been accessed by the suspect for illicit purposes."
The scheme, involving two major government agencies, came to light months ago through a fluke.
[Evan] The two major government agencies being the US Postal Service and the US State Department.
On March 25, D.C. police officers on a routine patrol stopped a car on the suspicion that its windows were excessively tinted, an apparent violation of city law.
Smelling marijuana, the officers searched the car and discovered that the 24-year-old driver was carrying 21 credit cards not in his name and printouts of eight passport applications -- and that four of the names on the passport applications matched the names on four of the credit cards, according to documents filed in U.S. District Court.
[Evan] Finding out about the identity theft truly was a total fluke. All of the following had to be true; excessively tinted windows, smoking marijuana in the car, and storing the fraud-related information in the same car.
Upon his arrest, the driver, Leiutenant Q. Harris Jr., told police that he worked with a co-conspirator who was employed by the State Department and another co-conspirator who worked for the U.S. Postal Service, court documents said.
[Evan] I wonder if the identities of the co-conspirators are known by authorities.
Officers on the scene called American Express about some of the cards in Harris's possession, and were told that they had recently been used and that a fraud alert had been placed on them.
But the investigation was hampered because Harris was fatally shot while getting into his car in Northeast Washington on April 17, just days after appearing in court on fraud charges and shortly after he agreed to cooperate in the probe.
[Evan] The murder of Mr. Harris was reported by the Washington Post in "Man Fatally Shot in Northeast Had Been Charged in Fraud Case". According to the story, Mr. Harris "was shot several times at close range" and "faced a court hearing in June". According to Mr. Harris' mother, Cleopatria Harris is "absolutely sure" that her son was slain because of his involvement in the scam.
The [notification] letter informed recipients that the State Department would provide free credit monitoring for a year and would reimburse out-of-pocket expenses and lost wages resulting from identity theft.
[Evan] This is good for victims, but how effective is it really?
The criminal investigation has not been completed
"We are thoroughly examining every aspect of our information security systems and procedures to safeguard against unauthorized access of passport records." (Florence Fultz, the acting managing director of the State Department's Passport Services division)
[Evan] Hopefully, this is or becomes standard practice. We all need to regularly audit/test and assess our information security practices.
a[n anonymous] spokesman said the department has "undertaken a number of immediate and long-term measures to significantly improve the protection of personally identifiable information to include mandatory audits, an enhanced monitoring list, improved training and a revamped reporting system"
[Evan] Sounds impressive.
"In addition, we have formed a working group to develop long-term systems solutions to improve the security of these records such as a tiered access system to all passport records." (Anonymous spokesman)
the statement added, "to the best of our knowledge, most of these individuals have not experienced identify theft."
[Evan] The keyword is "most", understanding that some have. Unfortunately, those who haven't still face an increased risk.
Commentary:
This story is very interesting. A man gets pulled over for a tinted window violation. The man has marijuana in his possession. The police search the car and find stolen passport information and fraudulent credit cards among other things. The man spills the beans and starts to cooperate with officials. Man is murdered under suspicious circumstances. There is a whole bunch more to this story. Maybe a movie to follow.
As far as information security is concerned… The State Department stores some very sensitive information and a lot of it. According to the Washington Post, in July the State Department's inspector general "documented a widespread lack of controls on the personal data of the 127 million Americans who hold passports, finding "a general lack of policies, procedures, guidance and training." Policies, procedures, guidance and training are all basic information security principles. If an agency cannot or will not follow information security basics, how can we expect them to do anything?
Past Breaches:
U.S. Government:
March, 2008 - A breach that hits home with 2008 presidential candidates
March, 2008 - Laptop stolen from NHLBI contained personal health information
July, 2008 - Social Security Administration lists live people in the Death Master File
October, 2008 - Mailing error by FEMA contractor affects hurricane victims
U.S. Department of State:
March, 2008 - A breach that hits home with 2008 presidential candidates
United States Postal Service:
November, 2007 - USPS stolen laptop exposes 3,000 employees
Posted by Evan Francen at 10/31/2008 11:06 AM 
Categories: U.S. Government, U.S. Department of State, United States Postal Service, Employee Fraud
Categories: U.S. Government, U.S. Department of State, United States Postal Service, Employee Fraud
Posts Atom 1.0
Evan;
An interesting story to be sure!
As a former police officer I can tell you that there is nothing unusual about an officer making a stop for a minor traffic or equipment violation only to find additional violations in plain view that can escalate into something more involved. Of course, sometimes the initial violation is petty but the officer knows or has reason to believe there is more going on and wants the probable cause to stop the vehicle for a better look. Sometimes.
The shooting of the perp just after agreeing to drop a dime - that points to something much more involved than a few stolen credit cards. Sounds like one of those things that we'll never know all about.
Reply to this