By Martin H. Bosworth
ConsumerAffairs.com
July 9, 2006
For the second time in two weeks, Navy personnel's personal
information, including names, addresses, and Social Security numbers,
has ended up on a public Web site, triggering an investigation.
The data on over 100,000 Navy and Marine airmen and air support crew members was posted on the Naval Safety Center Web site.
The data was immediately removed and the site itself is currently inaccessible. In addition, the personal data was stored on 1,083 Web-Enabled Safety System (WESS) compact discs, and mailed to Navy and Marine Corps command staff.
Although the Navy claims that there was no indication that the data was used illegally, the data was publicly accessible on the Naval Safety Center site since December 2005, and affected personnel have been notified to aggressively monitor their credit reports and bank accounts for signs of fraud.
WESS is a Web-based application designed to compile data on naval and aviation accidents and mishaps. It was commissioned as part of the Navy's aggressive overhaul of its accident reporting systems and move towards Web-centered applications.
The WESS was developed using JReport, a technology created by Rockville, MD-based Jinfonet, a "business intelligence" company.
In a press statement announcing the selection of JReport to power the initiative, the Navy said that JReport "will also generate [Microsoft] Excel format reports on unclassified information, for example, incident rates over a ten-year period. These reports will be posted on the Naval Safety Center's Web site for ready public access."
Two weeks ago, the personal data on over 30,000 sailors and their family members was found on an unidentified civilian Web site. That site has been allegedly shut down, and the Naval Criminal Investigative Service (NCIS) is investigating the issue.
According to Federal Computer Week's Bob Brewin, the previous Navy data exposure was due in part to information collected after Hurricane Katrina. The personal data was collected in five spreadsheet files and published on the unnamed site. The Navy did not identify the site or explain how the site obtained the sailors' data.
The two Navy data breaches are the latest in a string of incidents where government agencies have exposed personnel information.
The Government Accountability Office (GAO), the government's watchdog arm that has provided frequent recommendations on how to improve federal data security, reported its own exposure of audit reports from Defense Department travel vouchers dating back to the 1970's.
The Federal Trade Commission, the agency tasked to protect consumers from identity theft and data fraud, was robbed of two laptops containing the personal information of 110 Americans involved in FTC cases in June.
And in January of 2006, the DOJ published personal information of individuals involved in litigation against it on one of its Web site. The information included full names and Social Security numbers.
The biggest case of data exposure still centers around the Veterans' Administration and the theft of a laptop containing 26.5 million veterans' personal records from the home of an unidentified analyst in Maryland.
The laptop was recently returned by an anonymous source, and the VA claims it was not tampered with. The VA also disclosed two other data breaches that had occurred at the agency in the past year, but were not publicized.
