Another leaky subcontractor
ZDNet reports on the latest data dump by Potomac Healthcare Solutions a subcontractor of Booz Allen Hamilton, they posted your PII to the web;
Many of the victims involved in the data leak are part of the US Special Operations Command (SOCOM), which includes those both formerly employed by US military branches, such as the Army, Navy, and Air Force, and those presumably still on active deployment. ]
The bulk of the data is made up of military personnel files and lists of physical and mental health support staff, including nurses, doctors, and mental health professionals.
Names, contract types, Social Security numbers, and duty start dates — dating back to 1998 — as well as billet numbers that detail the living quarters for when staff are not on active duty, are all included in the information leak.
Unit assignments and places of work, which include military bases and their postings worldwide, were also in the documents.
11 Gigs of PII were released because of unsecure computers sharing information – almost as if it was planned.
[Chris Vickery, lead security researcher of the MacKeeper Security Center, who found the data on the open web]’s discovery, however, was not as the result of any complicated heist, malware infection, or attack on the researcher’s part.
Rather, it was the subcontractor’s own insecure server and use of “rsync,” a common protocol used for synchronizing copies of files between two different computers, which weren’t protected with a username or password.
Thanks to Bobo for the link.
Category: Breaking News
Geez, Louise, can these people ever learn to be careful?
I do hope the victims of this idiocy are being notified.
a) subcontractors are seldom (never?) the least expensive option.
b) PII ought to always be kept only by the parent organization.
c) stiff financial penalties ought to always be included for stupid computer tricks like this: like 3x the amount of the contract paid back to the contracting organization.
Nothing will happen to the subcontractor… Hell, they may get a new contract out of this!
Those affected by the data leak/breach… they are the one that will take it in the squeakhole for a long time.
One of my employees is still suffering from a PII loss 10 years ago.
Penalties for poor performance on a government contract? Perish the thought… how would Lockheed Martin et al survive?
100% agree… STIFF penalties for non-performance are sadly lacking from too many government contracts nowadays. For instance, in my particular line of work, if we are late with an ocean shipment we get to pay for air freight – out of pocket. (At one point with another company I knew the capacity and rates to charter a 747 from Hong Kong to LA… now that hurt!) I currently work with a company who charges us $10,0000 per shift if we fail to deliver on time. Why can’t the Feds do something similar…
Is there anyone left on the planet that has not had their PII compromised in the last five years? I got notified by VA, Anthem BC/BS, MasterCard, My bank! and a private contractor all in the last few years.
At least I still have LifeBlock (LCR in .357)
^^Ditto^^ The government has been paying for my protection for about the last 12 years. It’s been one damn breech after another. Someone used my PII to create another ‘me’ and had a hell of a vacation a few years back. I then was informed by the gov of the breech and they are paying (again) for three years protection. I also put a block on my credit/accounts so nobody can open a new account in my name. I’m sure when the three years expires, I’ll be notified of another breech and have additional coverage paid for by the government. I can unlock my credit/accounts with a password if I need to buy a car/house/whatever. These companies/gov should be much more proactive vs being reactive.
Well, the State lost my PII once.
That I know about.
Cocksuckers.
Speaking of contractors, anyone heard from GDContractor? Is he here by another tag or just, like a snowflake on the water, gone?
“… which weren’t protected with a username or password.”
Just about the first thing you learn in any class on Cybersecurity or Sysadmin is to USE A STRONG PASSWORD! And that is repeated ad nauseum in every successive class.
I was under the impression that all federal contractors AND subcontractors had to abide by certain data security standards to obtain a contract.
Even my pharmacy has to abide by HIPAA data security standards.
And, contrary to “common knowledge”, you don’t have to be a super-duper hacker geek to break into many places.
WAR STORY ALERT. I was dueling with Office of Personnel Management about their web site and receiving my income tax documents on-line. I tired of their BS and after the fact security measures, and said, “why don’t I just eliminate the middle man and get them from the local Chinese restaurant and probably get egg roll thrown in. The OPM responder didn’t have a clue what I was being a smart ass about until I explained, then I never heard from them again. Thin skinned or what.
ROFL
Remember the not so old days when you had to put your SSN and damn near your entire family history on a check written at the PX and Commissary. Somehow I never got my identity stolen (but who wanted to be me back then anyway?)
Oh, the good old days…
heck, we had our SSNs printed on the checks to save writing it out…
I suspect this sort of thing will continue until we have the stomach to make the penalty for such negligence to be public flogging.