FYI:
------------------
Security breach: Thousands of Air Force officers’ ID files hacked

BY: Rod Hafemeister , Air Force Times
08/19/2005

SAN ANTONIO — Someone broke into the Air Force’s Assignment Management System and may have stolen the personal information of tens of thousands of officers.
On Aug. 18, personnel officials began notifying about 33,300 officers and 19 airmen that their records were accessed by a still-unidentified information burglar.

The breach occurred in the May-June time frame. Further access was stopped as soon as the break-in was discovered and, so far, no cases of identity theft have been linked to the unauthorized access, officials said.

Officials, in an effort to nab the identity thief, waited to alert airmen that their personal information had been accessed. Now, they’re letting the affected airmen know what steps to take to protect themselves and their credit in the event that information was stolen.

The information in the Assignment Management System could be a gold mine for an identity thief. Besides Social Security numbers, it includes other things protected under the Privacy Act, such as marital status, number of dependents, date of birth, race/ethnic origin (if declared), civilian educational degrees and major areas of study, school and year of graduation, and duty information for overseas assignments or for routinely sensitive units.

Officials are still withholding a lot of the details, citing the on-going criminal investigation. But they said the breach was accomplished through one of the most vulnerable parts of any network: The intruder logged on using a stolen password.

“Basically, we had an unauthorized user gain access to a single user account by stealing a password,” said Lt. Col. John Clarke, chief of the Systems Operations Division at the Air Force Personnel Center. “Then they went in and accessed member information on roughly 33,000 military members.”

The delay in notifying the potential victims was approved at the highest levels of the Air Force, said Maj. Gen. Anthony Przybyslawski, Personnel Center commander.

“Senior leadership of the Air Force knew about this from the moment it happened,” he said. “We weren’t in a vacuum; it was a complete buy-in from all parties involved. There wasn’t any rogue two-star general sitting in San Antonio making decisions on this.”

Now, officials have launched an information blitz to get the word out to the affected airmen.

Besides the individual letters being sent, they also are sending e-mails where possible and are putting an information link on the front page of the center’s Web site, www.afpc.randolph.af.mil.

The home page will carry a link where airmen can enter their Social Security numbers and determine whether their records were part of the breach. If so, they will be linked to an online version of the notification letter.

Local military personnel flights also will have lists of affected airmen, Clarke said.

The letters and online notices include advice on how to check your credit, how to file a fraud alert and who to contact if you suspect identity theft. The notices also include the phone numbers and Web links for the three major credit bureaus and the Federal Trade Commission, the agency that deals with identity theft.

“There’s a lightly publicized amendment under the Fair Credit Reporting Act that allows military members deployed away from home to put an active-duty alert on for one year,” Clarke said. The alert tells credit issuers to take extra steps to confirm your identity before issuing new credit.

“The other thing it does is, it removes you from the pre-screening lists for credit cards and insurance and all those other things they sell the lists to, for two years,” Clarke said.

Affected airmen and officers also should let officials know if there’s a problem, both to get legal help and give the investigators more evidence with which to work.

“It’s an ongoing investigation, a joint investigation with other federal law enforcement agencies,” said Capt. Regen Wilson, spokesman for the Air Force Office of Special Investigations. “If any Air Force members find any suspicious actions in their accounts, they need to go to their legal office for advice and legal will notify us.”

Air Force leaders had to try to balance the risk to airmen against the possibility of catching the person or persons who went after the information, Przybyslawski said.

“During this whole thing, the thing that overpowered all the decision-making that we did in this, was all based on the airmen — making sure we plugged the leak in the dike, making sure there were no more leaks,” he said. “And we felt we had a strong obligation to those airmen, also, to find out who was doing this so that we could get a solid damage assessment of how far this went.

“We stopped the leak so it couldn’t happen anymore. And then we turned it over to the OSI for them to try and catch the culprit.”

This was the first time the Air Force had faced this kind of information breach — and there was no standard procedure for handling it, like there is for something like an airplane crash, Przybyslawski said.

Personnel officials went to the 8th Air Force network operations center for help and called in the network security experts at the Air Intelligence Agency. They also brought in the Air Force Office of Special Investigations and legal specialists.

“There was a whole new series of cooperation, a coalition was formed of many people who had expertise,” he said.

The breach was discovered late on a Friday afternoon and the response team was brought together over that weekend, he said.

“We were on a full sprint come that first Monday,” he said.

The big question was how long to let OSI run with the investigation, he said.

Personnel officials have increased the safeguards in the system to make another such breach less likely.

That means it may be a little less convenient for the average airman trying to legitimately access the system, but that’s the trade-off for better security, officials said.

The Air Staff also is working on a new policy concerning computer networks, Przybyslawski said.

“This gave us an indication that there are a lot of holes in our policy, in not just how we do AMS. The last that I heard, there’s over 100 systems out there that could have the same kind of problem,” he said. “Now we’re going to apply lessons learned across the entire enterprise.”