Thursday, July 15, 2010
Some questions about data security in Hawaii government
by Larry Gellerleak@disappearednews.com
Do you remember the recent newspaper article about hackers breaking into the University of Hawaii parking services computer? It turns out that the data included social security numbers and also that it was not stored in encrypted form. See: UH lax computer security to blame for massive leaks of private information (7/7/2010).
Through its lack of security, 53,000 records were exposed to hackers. Had the records been encrypted, there would be no exposure. Another issue is why there would be social security numbers in the database in the first place.
What brought this to mind was the recent scandal in Utah:
An anonymous group has distributed a list that is spreading terror and outrage among the Latino community in Utah. The list includes names, addresses, workplaces, phone numbers, birth dates and, in some cases, Social Security numbers of some 1,300 people that the group alleges are undocumented. The list was sent to law enforcement officials, state lawmakers and the media, and urges that those on the list be immediately deported. All the names are Latino, and they include over 200 children and the due dates for six pregnant women. [Democracy Now, "They Have Terrorized Our Community": Anti-Immigrant List Targets Latinos in Utah, 7/15/2010]
Now, even with encryption, an employee can (for example) print out data and take it off the premises.
That’s why corporations also have programs that routinely monitor which records in a database have been accessed by whom, and when.
Back to Hawaii.
I speculated that if DHS were allowed to close its in-person intake centers and outsource the work to call centers, before long our phone calls might even be answered in India. They’d just have to learn some Hawaiian pronunciation. As it turned out, DHS confirmed later that it has already outsourced some calls to a Mainland call center.
Well, I ask, does that call center have access to personal information? What security standards are imposed on them, is it possible for DHS to verify them, and in fact, what security does DHS itself have in place to protect the personal information of its clients? Does it impose standards on the two QExA contractors, subsidiaries of two Mainland firms?
Will we open our newspaper one day to read headlines that a list of personal information has been leaked from one state computer or another?
I already know a little. OHA, for example, outsources its email system support because it couldn’t handle it by itself. There’s a potential security problem. There was no risk analysis performed, according to an audit conducted last year.
Worse, at the time of the audit, OHA was sending backups of its data home with its IT manager, to be stored in his home safe. Yikes!
But wait… it gets worse than that. Here’s a database that is not being securely kept:
The Kau Inoa Native Hawaiian Registry is a database of Hawaiians who are willing to participate in the process of building a native Hawaiian governing body. Registration with Hawai‘i Maoli, which administers the Kau Inoa Native Hawaiian Registry website and database independent of OHA, requires providing sensitive information such as first, middle, last, and maiden names; home and mailing addresses; phone number, email address, gender, and date and location of birth. The process also allows for the scanning and emailing of the registrant’s birth certificate as one method to verify Hawaiian ancestry.
Although there is no evidence that the information collected is being mishandled, we did find that the lack of risk analysis contributed to weak contractual requirements for the security of the system. For example, currently, there is no provision in the contract that mandates regular audits and security checks of the database.
Although Hawai‘i Maoli is a separate organization from OHA, the consequences of a Kau Inoa database breach would directly impact OHA.
Now, you’d think that the state would have a Chief Information Officer, and that there would be security standards and regular audits. Well, there is a CIO, but:
In the State of Hawai‘i, the CIO’s duties are carried out on a part-time basis. As noted above, the current CIO was appointed by the governor in 2004 and also serves as the state comptroller.
It’s no wonder that the Auditor concluded:
1. The State’s IT leaders provide weak and ineffective management.
2. The State no longer has a lead agency for information technology.
Some of the state’s information technology standards go back two decades, according to the report, and 90 percent of the manuals are incomplete besides.
One of my favorite examples of poor security is a map, on the Capitol website, that pinpoints the location of one of their data centers.
In the 1970s corporations stopped showing potential evildoers where their data centers were located. They also stopped placing computers in show windows.
(In fact, I worked at a GE computer center in the street level window at 570 Lexington Avenue in New York City until it was moved to a nondescript data center in New Jersey. We put on quite a show for lunchtime passersby, spinning all the tapes and so forth. But GE moved us and closed the metal drop shutter on the large show window. Three months after we left, a bomb detonated in the lobby took out what would have been the data center (and maybe me!). The bomber didn’t know, of course, that all the equipment had been moved away.)
So my point is, it’s pretty basic security not to identify where the goodies are kept. And it’s not like I have not pointed this out to them, I have.
If you are aware of any data security situations that put public data at risk, why not send a message to firstname.lastname@example.org. The social security number you help protect may be your own.
The current practices are inexcusable and need to be fixed. But you've been taken by the credit industry if you think fixing all this will make a major difference in stopping identity theft. Most data breaches don't result in identity theft, and most identity theft doesn't happen as a result of data breaches.
If we really cared about identity theft we'd address the actual criminal act of stealing an identity. This would not only protect the few who are victimized as a result of data breaches, but also the many many more who are victimized by friends, relatives, in-home employees, viruses on their computer, hacking of their computer, falling for phishing, paper mail being stolen or having your address changed fraudulently, lost/stolen purses/wallets/checkbooks/creditcards, home burglaries (my personal problem), and corrupt businesses/employees. Yes, data breaches are a part of the problem and need to be stopped, especially when security is sloppy. But the estimates I've seen suggest that about 10% of identity thefts are the result of data breaches. (You may be able to find better/current numbers.)
Somehow it was ok for decades to put SSNs on college walls, drivers licenses and oh by the way, they're still on most Honolulu Municipal Golf IDs. So what changed? The credit industry decided to make it trivial to use this information to open easy credit in other people's names. So now we have criminalized practices that used to be ok so the credit industry can issue quick and easy credit in other people's names and write it all off as part of their lucrative business practices. For them, it's a business decision: their bottom line easily justifies the costs of their lobbying efforts to distract pundits like you from the source of 90% of the damage to real people
"In reality, forcing lenders to verify identity before issuing credit is exactly the sort of thing we need to do to fight identity theft. Basically, there are two ways to deal with identity theft: Make personal information harder to steal, and make stolen personal information harder to use. We all know the former doesn't work, so that leaves the latter. If Congress wanted to solve the problem for real, one of the things it would do is make fraud alerts permanent for everybody. But the credit industry's lobbyists would never allow that."
Fixing that would be far more useful than mounting a witch hunt against beleaguered state agency employees to support the credit industry's abusive practices.
Thanks for your long and informative comment.
I haven't been taken in by the credit industry. I have had my credit card misused by someone, and the bank was very helpful in stopping the problem in its tracks. But I'm not challenging you on what you have said.
It's more than identify theft, by the way. As we saw in the current Utah incident, protected medical information is also contained in government databases and can be used against one.
Information, once it gets out, cannot be contained easily. DHS holds medical information that employers would love to have. Why hire someone with diabetes, for example, when someone else with equal (or lesser) qualifications has also applied? Why hire someone with HIV? The only place to contain private information is at its source. Once out, your personal data is available to anyone for a price.
Thanks for the lead on the Municpal Golf ID. Another thing that needs to be done is that unnecessary information (like SS numbers) should not be present in the data in the first place.
Well, thanks again, Larry for the real news.
It is infuriating.
I will be sending out an email to many people informing them especially of the OHA sloppiness linking to your site.
That woman, Apoliana, is very concerned about her plush office and frequent flights to glamorous Wash.D.C. but has the arrogance not to be concerned about the signatures of beneficiaries that have provided their trust for her stolen lifestyle that the beneficiaries will never enjoy. Queen Liliuʻokalani she is not.
As to all ʻleaksʻ which are really thefts, several years ago (at peak of Bush regime) Wilcox hospital Kauai declared that someone had stolen a ʻmaster discʻ of everyoneʻ information that had ever been seen at that hospital. There wasnʻt a peep nor an outrage from the public. They probably just donʻt understand the technical end of it nor the ramifications. What better way to gain access to everyone than through a hospital?...All residents, deaths, births, family members, visitors, etc. that can be added to the ʻinfo bankʻ and cross filed with other stolen/on file data. Complete profiles.
My guess is that these ʻleaksʻ are simply sales of valuable property by people in the position to access it; possibly higher ups.
The way things are going, can we see any reason to being paying taxes? After all, they are privatizing and eliminating all services and amenities that justify the collection of taxes. It is very comforting to know that some citizens are not taking this lying down: Colorado has created a new taxpayer Bill of Rights I believe because of these reasons.
Thank you again for staying on top of the true crime. And as benignly and dismissive as local governments are about it, it is all the more alarming and a pattern that should also be examined as to its potential for a systemic conspiracy.
Thanks for your comment, kind words, and for the info on Wilcox Hospital. From my perch benhind a computer keyboard on Oahu it is sometimes hard to keep track of what is happening on other islands. In Googling around, I didn't google Wilcox.
I disagree with Anonymous #1. You say: "So what changed? The credit industry decided to make it trivial to use this information to open easy credit in other people's names."
Actually SS#ʻs have always been confidential and provided voluntarily. It is in recent decades that a trend started to extort SS#ʻs from people with the threat of with-holding something. People became intimidated into giving up their SS#ʻs.
Now the law is being enforced as you can tell by only providing the last 4 digits.
Thereʻs so much of it, hard to keep track. And there is probably a lot that has been scrubbed from internet.
The reason you probably missed Wilcox is as I mentioned the story was played down. I felt like stranger in a strange land standing in shock, mostly that nobody seemed to care.
Just to let everyone know that I do follow up on your info, I sent a Request for Public Rcords to the city golf office via their email. The email bounced. I'll get it to them another way.
Has anyone applied for a Golf ID? One thing they ask for is a copy of a Hawaii tax return with @-2 form as one form of proof of address (a State ID is not accepted!). I am hoping that they don't try to keep a copy of that tax form. It's bad enough that they ask for it.
Just goes to show that since Bush 2 held office the free for all has been alive and well.
Didnʻt used to be this ʻblatantlyʻ lawless.