Back in World War II, the U.S. government tried to encourage people not to blab about sensitive information through a famous ad campaign whose posters warned, "Loose lips sink ships." Now that a Veterans Affairs (VA) employee has managed to compromise the personal records of more than 26 million U.S. veterans by taking the data home on computer disks, which were stolen along with a laptop during a burglary, the security slogan may have to be revived as "Loose disks sink ships."
The data on the 26.5 million veterans include names, dates of birth and Social Security numbers, which could be a boon to any criminal interested in identity theft. So far, though, there's no evidence the burglary of the suburban Maryland house where the VA employee's laptop and disks were stolen was intended for that specifically.
But "loose disks sink ships," and the first ship that seems to be going down is the one for the VA analyst who took this data home without permission. The as-yet-unnamed employee has been put on administrative leave pending the investigation, as the FBI and local police try to find the stolen property in what some consider the biggest known compromise of personal information ever.
Sen. John Kerry (D-Mass.), a decorated Vietnam War veteran, commented on the breach, "Someone needs to be fired."
It's hard to fire government employees, but a bombshell like 26 million compromised veterans records could be enough to take out more than just one ship.
Somewhat after the fact, the VA has ordered all employees to attend a cybersecurity-awareness course by the end of June.
The sad irony in all this is that there are many at the VA who have worked hard to design and install network-based security. But in the "multiple layers of security" everyone is so fond of discussing, the human being apparently remains one of the hardest to fix.
For more of Ellen Messmer's observations on network security, visit our Security Research Center.