http://securityratty.com/tag/usaascs Sun, 13 Apr 2008 16:23:28 +0000 iRatty Engine http://blogs.law.harvard.edu/tech/rss http://securityratty.com/article/3579588fd6b1623770eef27c0456e961 http://securityratty.com/article/3579588fd6b1623770eef27c0456e961 Security Breach

Date Reported:
4/4/08

Organization:
United States Army

Contractor/Consultant/Branch:
United States Army Acquisition Support Center ("USAASC")

Victims:
"Colonels and civilians who managed programs within ASC"

Number Affected:
"about two dozen"

Types of Data:
"name, rank, program and organization" and Social Security numbers

Breach Description:
"A spreadsheet containing a "hidden" column of Social Security numbers belonging to about two dozen officers and civilian employees of one Army agency was left on the agency's website for five months after being notified of the presence of the personal information."

Reference URL:
Federal News Radio
USAASC response

Report Credit:
Patience Wait, Federal News Radio

Response:
From the online sources cited above:

A spreadsheet containing a "hidden" column of Social Security numbers belonging to about two dozen officers and civilian employees of one Army agency was left on the agency's website for five months after being notified of the presence of the personal information.
[Evan] Let's get this straight.  The USAASC was notified about it five months ago and nothing was done about it?  How do you explain that?

The Army's Acquisition Support Center has temporarily shut down its website to scrub the information from the spreadsheet   

"We regret that this error occurred. We have temporarily taken the web site down to make the necessary corrections. We will bring the website back online once the corrections have been verified," an Army spokesman responded in an email.

"We are also in the process of informing the individuals on the spreadsheet that their information was made available to the public."

The spokesman's email stated that the agency was investigating why the information had been included on the spreadsheet to begin with, and why it was still on the website five months after ASC was notified of its presence.

A computer expert who works for a federal contractor was surfing the web while doing research and found the spreadsheet in November.

The file contained a list of Colonels and civilians who managed programs within ASC. Visible columns listed their name, rank, program and organization.

In Microsoft Excel, however, every column is labeled with a letter of the alphabet, and the columns in this spreadsheet read, "A-B-D-E," indicating that column C was hidden. A simple command, "unhide," revealed the column of Social Security numbers.

FederalNewsRadio has obtained a copy of the email sent by the expert to ASC warning of the presence of the SSNs. The agency responded to the expert that the matter was being turned over to its executive officer for "review and correction."
[Evan] This is interesting.

But the information was still present on ASC's Web site on April 3, five months to the day after ASC promised it would be corrected.

FederalNewsRadio contacted one person on the list, to confirm the number shown next to his name was in fact his Social Security number.

The man declined to directly confirm the number, but he was clearly shocked, and asked several questions, including requesting the link so he could see it for himself.

While only a handful of people were affected by the lapse, it is a violation of federal policy.

"It is a big issue," says Ari Schwartz, vice president of the Center for Democracy and Technology. "It would seem to be a violation of the [Office of Management and Budget] memo that just went out that said agencies should be cutting down on the use of Social Security numbers, as well as the Privacy Act."

Cate and Schwartz both agreed that PII leaked over the Internet is much more dangerous than widely publicized incidents involving lost and stolen laptops containing similar information, because once on the web, data lives forever.

In response to an article written by FederalNewsRadio.com on Friday, April 4, 2008, regarding an error made by the United States Army Acquisition Support Center (USAASC) in a posting to its Web site, we would like to reassure those whose personal information may have been inadvertently listed that we have taken action to both remove the information from USAASC’s Web site and verify that no other personal information remains available on the Web site.

USAASC and its staff members serving our country around the world, sincerely regret the error made and the additional delay incurred in taking corrective action.

In accordance with federal directives, as well as a matter of policy and practice, USAASC works diligently to safeguard both sensitive data and personal information.

At USAASC, we are confident that we have appropriately addressed this issue and instituted new policies so that such an oversight will not occur in the future.

Again, we regard people’s personal information as extremely private and worthy of the highest level of protection and we greatly appreciate the understanding of those involved.

Commentary:
The apology and responses by the USAASC sound sincere, but how do they explain the complete lack of attention to the original notification in November?  The USAASC only responded once they were notified by the press.

Past Breaches:
Unknown

]]> Sun, 13 Apr 2008 16:23:28 +0000 web personal information remains personal information army usaascs web site information spreadsheet usaasc response usaasc Excel Spreadsheet on the web exposes Army officers and civilians