Friday, August 19, 2005

Some Things Shouldn't be Available Online

Like the rest of the military, the Air Force has embraced computer technology (and the internet) in a big, big way. A few years back, someone in a blue suit had the bright idea of making personnel functions "virtual," allowing Air Force members to conduct a variety of tasks online, without ever visiting a base personnel office. Military members were assured that their personal information was secure.

Guess again. Just hours ago, the Air Force put out an urgent press release, informing thousands of officers and a few non-commissioned officers that their personal information may have been compromised.

AFPC notifies Airmen of criminal activity exposing personal info

RANDOLPH AIR FORCE BASE, Texas - The Air Force is notifying more than 33,000 Airmen that a security breach has occurred in the online Assignment Management System.The notification comes after Air Force Personnel Center officials here alerted Air Force and federal investigators to unusually high activity on a single user's AMS account in June. AMS, an online program used for assignment preferences and career management, contains career information on officers and enlisted members as well as some personal information like birth dates and social security numbers, according to Col. Lee Hall, director of assignments at AFPC. It does not contain personal addresses, phone numbers or specific dependent information.

A malicious user accessed approximately half of the officer force's individual information while only a handful of noncommissioned officers were affected, according to Lt. Col. John Clarke, AFPC's deputy director of Personnel Data Systems. The individual used a legitimate user's login information to access and/or download individuals' personal information.

"We notified Airmen as quickly as we could while still following criminal investigation procedures with the OSI," said Maj. Gen. Tony Przybyslawski, AFPC commander. "Protecting Airmen's personal information is something we take very seriously and we are doing everything we can to catch and prosecute those responsible under the law."We notified the individuals involved outlining what happened and how they can best insulate themselves from this potential risk," the general added. "We've taken steps to increase our system security. We're working with all Air Force agencies to identify vulnerabilities. We must keep our data protected."

In the meantime, officials say officers may login to the virtual Military Personnel Flight at http://www.afpc.randolph.af.mil/vs/ to see if their information was viewed. If it was, they will receive a pop-up banner after login which will provide additional information. The small number of enlisted members who have had their information viewed will be contacted directly.

You'll note that this problem began a couple of months ago, so there's no tellling (or at least, the Air Force isn't saying) how many officers and NCOs may have actually been victimized. But it doesn't take a computer genius to realize that the same computer technology that allowed this information to be harvested, can also be used for mass submissions of loan and credit card applications. We'll probably never know the exact cost of this security breach, but the final tally could be in the millions of dollars. Since most military personnel have solid credit scores (not paying your bills can end your career), the stolen information represents a virtual gold mine for identity theives.

There's a simple--but brutal--lesson to be learned here: some types of military information do not belong on line. For once, I'd advise the personnel system to copy their counterparts in the intel community, and create a secure intranet, exclusive to Air Force personnel offices. The intel world has had such a system for years; it's not perfect, but it reduces the chances that someone could hack in from the outside. Creating a similar system for military personnel functions might create hardships for a few--say, that ROTC instructor who wants to check his personnel file, but lives 400 miles from the nearrest base--but the military is facing a critical choice: would they rather inconvenience a few, or keep facing these types of problems in the future.

One more thing: consider the consequences if military personnel databases fell into the hands of terrorists.

No comments: