Tuesday, May 18, 2010
Navy took more than a year to announce personal data breach
So why did it take the Navy 17 months to inform employees at the Naval Facilities Engineering Service Center in Port Hueneme, Calif., that their Social Security numbers had been inadvertently released?
The information was sent in May 2008 to three other employees whose security access had been suspended for reasons unrelated to the information breach.
E-mails obtained by The Washington Post indicate that Navy officials quickly realized employees should be informed. But that was not done until October 2009. The names of those sending and receiving the messages were blocked out, but their offices, and in some cases their positions, were not.
An e-mail dated June 6, 2008, to the chief of naval operations and the Navy's chief information officer, among others, cites a report from a month earlier on personally identifiable information and reads, "A list of employees was generated (128) that reflected the names, social security numbers and perceived security clearance issues relating to each of named employees."
The June 6 e-mail says there was no criminal activity involved, though the Navy's general counsel was notified. It also says that the personal data are confidential and that their use is restricted. A June 9 e-mail from a Navy "privacy team leader" says the employees "must be issued letters stating that they are at increased risk for identity theft due to the high risk nature of PII [personally identifiable information] that was compromised." This note even indicates where a sample letter can be found on the Navy's Web site.
But the 244 employees -- subsequently increased from 128 -- were not notified until much later. washingtonpost