Security breach in passport application leads to identity theft
A couple of weeks ago I wrote an article about how easy it would be for a hacker to steal the information embedded in the computer chip inside your passport.
Friday the State Department warned 400 passport applicants of a security breach in its records system that may have left them open to identity theft. Although the breach is not related to how your personal information is stored in your passport, it does represent a major issue that only increases the fear some people have about how their private information is handled by the government and the private sector.
The State Department have already notified 383 people (most from Washington DC) that their passport application containing personal information, including Social Security number may have been illegally accessed and used to open fraudulent credit card accounts.
The breach was noticed back in March, but the State Department has not released any additional information on how it occurred, other than to say that it is still under investigation. So far one man has been arrested and one State Dpt. employee had been reassigned and might face further disciplinary action pending completion of the investigation
November 3rd, 2008 at 5:34 pm
What makes this breach especially troubling is that passport applicants have no choice in the information they provide to the State Department. Addresses, contact information and social security numbers are all conveniently included in the application, making it easy for the State Department employee to grab records and immediately turn these into credit card applications.
The measures the department is now taking – permissions, auditing and monitoring – are some of the right measures to have taken *before* a breach occurred. Implementing them afterwards is simply too little, too late.
It is too late, because these really ought to have been in place at the very highest level well before the breach occurred – we are not talking about new security technologies, here. The data are highly personal to the individuals concerned and are permanent. You cannot change your data of birth or social security number in the way that you can a password. They need and deserve to be fully protected.
It is too little, because these measures, even upgraded, will not prevent insider breaches in the future. They will merely alert the IT team after a breach has occurred. The Department needs to implement a system that blocks any access attempt that is deemed suspicious. Having this type of system in place last March would have stopped the employee from downloading multiple applications while simultaneously alerting IT administrators that records were being compromised.
The public’s data need and deserve to be treated with more respect.
November 3rd, 2008 at 10:22 pm
Paul, I agree with you 100%. Is is definitely too little too late