From time to time I have the depressing task to write about yet another data loss event that caused the personal details of millions of people to fall into the hands of criminals. Usually this is credit card data, along with names and email addresses. Sometimes physical addresses are included, and occasionally even more sensitive data like Social Security numbers goes along for the ride. Usually this data was collected by a large retailer that had no qualms about storing the sensitive information, but clearly neglected to properly secure it.
Stolen data is primarily used for credit card fraud, though if there's enough information available, identity theft is a definite possibility. Millions of affected people have been forced to get new credit cards, check their statements for fraudulent charges, and rework any automated payment arrangements and whatnot. It's a big pain in the ass, and frankly, it has happened far too often, especially when once should be considered more than enough.
Heartland, Target, TJX, Anthem ... we've seen some massive data breaches over the years. But none can hold a candle to the breach the U.S. government announced last week. Not even close. On a scale of one to 10, with one being the loss of credit card numbers and names, this data loss event would conservatively be a 15.
Most people aren't aware of exactly what type of information the federal government collects on its employees, especially those with security clearances. We all have some idea that government employees have relatively strict reporting requirements for financial information, and we know that federal workers with higher clearances undergo thorough background checks and must submit to interviews of both themselves and their family and friends. This is done to flag potential problems and to prevent outside agents from having undue influence over people who may have access to sensitive information and materials.
Put simply, if you have a security clearance, the government would like to know if you have a drug problem or if you are in serious debt, because a foreign interest may try to use that situation as leverage to coerce you into revealing sensitive information. In the interest of national security, these safeguards make sense.
But the true nature and scope of the information required by the government and subsequently collected by the government on an employee is massive. Take a look at Standard Form 86. This is a 127-page form that usually takes a week or more to complete and requires the entry of the applicant's Social Security number on each page. The data included on this form is not just enough for identity theft, but enough to allow a person to literally become another person. Each Standard Form 86 fully documents the life of the subject. The only thing missing is the name of your first crush, though that might be in there somewhere too.
Some 18 million people had this level of personal data -- and more, including data collected by observers -- lost to foreign agents last week. If the government collected this data to know if an employee was vulnerable to undue outside influence, then it just succeeded in closing that loop itself, having now released it into the wild. All of those vulnerabilities are now known and available for exploit to whomever stole the data, or to whomever they wish to sell that data. This is very, very bad.
I should also mention that many of those whose personal information was swept up in this data loss event were never even government employees in the first place. They may have filled out the forms and submitted applications, but they were never hired or they declined the job. This includes prospective TSA agents right on up through CIA employees -- the higher the position, the higher the clearance, the more sensitive the data that was collected and lost. Information on these peoples' infidelities, sexual fetishes, mental illnesses, criminal activities, debts, and other highly personal information is now in the hands of cyber-attackers. This is damage that cannot be undone or mitigated. We can change credit card numbers and refund fraudulent charges, but we can't change any of the personal data and intimate details of these people's lives. That's a permanent loss.
One could argue that however disastrous this data loss event is, the government had a requirement to store this data. It needed to collect and maintain this data, even if it failed to secure it. That said, this is the same government that is collecting a massive amount of data on all of us, whether we're prospective federal employees or not, via Internet and phone surveillance. If the federal government is lax enough to lose immeasurably sensitive information on its employees, how secure is the data that it has decided it needs to collect on everyone in the world?
Many people believe that the U.S. government shouldn't be collecting and storing this data in the first place, and that there's no need to maintain that data collection. This event underscores the fact that maintaining this data is not just privacy invasion on a massive scale, but it's actually dangerous. What happens when the next data loss event contains highly sensitive data on hundreds of millions of people? We can't put that cat back in the box no matter how we might try. You might think that the best way to guard against that possibility is to stop collecting that data in the first place.