Wired.com reports on a possible breach at -- of all places -- the National Archives and Records Administration (NARA) that, if verified, could affect tens of millions of records about U.S. military veterans. It appears that it may involve an issue that I call “Data Security 101” -- the failure of a contractor to wipe clean a defective hard drive returned to it by NARA . The contractor determined that the drive could not be fixed, and sent it elsewhere to be recycled --- without following ordinary industry procedures (and U.S. Government policy) requiring that hard drives be degaussed before recycling or other disposition.
According to the Wired piece, the incident was reported to NARA’s inspector general by Hank Bellomy, a NARA IT manager, “who charges that the move put 70 million veterans at risk of identity theft, and that NARA’s practice of returning hard drives unsanitized was symptomatic of an irresponsible security mindset unbecoming to America’s record-keeping agency.”
The Veterans Administration settled a class action earlier this year at a cost of $20 million over the 2006 loss of a laptop containing records with personal information of up to 26.5 million veterans and active duty personnel.