October 13th, 2008

Deloitte laptop stolen: Clients at risk

Posted by Michael Krigsman @ 7:31 am

Categories: CIO issues, End-user impact, IT issues, Security and privacy

Tags: Deloitte LLP, Laptop Computer, Notebooks, Hardware, Notebooks & Tablets, Michael Krigsman

A stolen laptop belonging to consulting firm Deloitte contained confidential personal data belonging to 150,000 UK railway workers and all UK Vodafone staff with pensions.

UK politician, Les Bonner, said “until recently [Deloitte] was the external auditor for the railway pension schemes.”

The Register reports Deloitte’s statement:

A handbag with a Deloitte laptop in it was stolen from a public place in September. The laptop held information which included employee details of individuals from a number of Deloitte’s clients. It did not include addresses or bank account information. The theft was immediately reported to the police and relevant clients were notified.

The laptop was protected by a number of security measures, including start up password, operating system user ID/password authentication and encryption.

THE PROJECT FAILURES ANALYSIS

Oh, the irony of a security consulting firm, offering an information security advisory practice, that loses a laptop containing confidential client information.

Read the rest of this entry »

August 26th, 2008

Failed government IT: 'The mother of all databases'

Posted by Michael Krigsman @ 10:30 am

Categories: Financial impact, Government projects, Politics, Project failures, Project management, Security and privacy

Tags: Program, Information Technology, Data, NCTC, Subcommittee, Terrorist Identities Datamart Environment Database, Railhead, Submission, Government, Storage

The “IT system used to identify terrorist threats that has been crippled by technical flaws,” according to a memo from the House of Representatives Committee on Science and Technology. The failed system is part of a “central US government repository of data on international terrorist identities…described by Vice Admiral (Ret.) John Scott Redd as ‘the mother of all databases.’”

This enormous database, called the Terrorist Identities Datamart Environment (TIDE), is operated by the National Counterterrorism Center (NCTC) to support the “government’s various terrorist screening systems or watchlists.”

My take. I was initially skeptical of the allegations described in the House “Inspector General memo” because it raises highly technical issues in a political context. However, my impression changed substantially after studying the more detailed “Subcommittee memo,” which exhaustively documents the investigative sources forming the basis for the allegations.

Given the careful documentation, I believe the memos accurately portray current project status. While I have no opinion regarding specific descriptions of misappropriation of funds, the project management and contractor oversight flaws certainly ring true. From a technical perspective, the allegations are sufficiently detailed to appear rooted in fact.

The official NCTC response, described at the end of this post, offers little reassurance to those concerned about government waste on IT projects. Apparently, even the nation’s most substantial national security projects are subject to failure and allegations of malfeasance.

This isn’t the first government IT failure and certainly won’t be the last.

INSPECTOR GENERAL MEMO

The House Committee on Science and Technology impact memo, written to the Office of the Directorate of National Intelligence (ODNI) Inspector General, frames the issue:

The Subcommittee has learned that the TIDE database is suffering from serious, long-standing technical problems. The Subcommittee has also learned that a critical NCTC initiative, named “Railhead,” which is intended to replace TIDE with enhanced capabilities has suffered from severe technical troubles, poor contractor management and weak government oversight. As a result, potentially hundreds of millions of dollars have been wasted, delivery schedules have slipped, contractor employees have been laid off in order to restrain escalating costs, and the NCTC is now scrambling either to fix the technical troubles or possibly to abandon the program altogether. The end result is a current IT system used to identify terrorist threats that has been crippled by technical flaws and a new system that if actually deployed will leave our country more vulnerable than the existing yet flawed system in operation today.

—

Some Railhead insiders allege that a significant portion of the estimated $500 million dollars spent on Railhead has been inappropriately used to renovate a building of one of the prime contractors, The Boeing Company, into a Sensitive Compartmentalized Information Facility (SCIF) in Herndon, Virginia. These individuals have also questioned the technical solutions endorsed by the government to replace the current TIDE database, the qualifications of some of the Boeing subcontractors and potential conflicts-of-interest between the program director of another key Railhead contractor, SRI International, and the government’s Railhead program manager because of their alleged close personal ties. In short, documents obtained by the Subcommittee suggest that, despite hundreds of millions of dollars invested in Railhead and years of development, the government has little to show for its efforts.

—

Like many of these programs, the flaws and failures on Railhead have been exacerbated by weak government oversight, poor contractor management and lack of contractor accountability for the program’s performance. Turfbattles among contractors, particularly between the design team and development team, have hampered the sharing of critical technical data that has impaired the success of the Railhead program. In addition, one list of Railhead staff from January 2008 identifies a virtual army of 814 private contract employees from dozens of companies involved in Railhead and only 48 government officials keeping tabs on this mammoth and critically important national security program. In fact, an estimated one dozen government slots on Railhead have been vacant for more than one year. A combination of these management problems and technical troubles seems to have doomed the Railhead program to failure.

SUBCOMMITTEE MEMO

The Inspector General memo was based on worked performed by the Subcommittee on Investigations and Oversight. The more specific technical memo adds depth and detail to the allegations:

Among the largest and most expensive programs currently being funded by the ODNI is a program at the National Counterterrorism Center to improve and replace its current information technology systems, including the TIDE database, in order to enhance information sharing among federal agencies and improve access to counterterrorism intelligence data collected from more than 30 separate government networks that feed data into NCTC.

—

Documentation obtained by the Subcommittee points to a host of technical problems on Railhead, potential contractor mismanagement, contractor disputes, agency turf battles, poor government oversight and schedule delays that have hindered and hampered legitimate information sharing efforts on the program, have resulted in the potential waste of hundreds of millions of taxpayer dollars and placed the government’s key counterterrorism information sharing initiative in jeopardy of failing.

—

But technical problems on the current TIDE database appear to be hindering those efforts, and its successor –Railhead — is on the verge of collapse.

The original TIDE database, built by Lockheed Martin, replaced the Department of State’s TIPOFF database, designed and built by The Analysis Corporation, in the wake of the 9.11 terrorist attacks to automate the terrorist watch list. The TIDE database was built in Oracle as a relational database management system (RDBMS). This original database, however, suffers from basic design, management and maintenance ‘ inefficiencies and problems. For instance, only about 60% of the data, including names and addresses, mentioned in CIA cables provided to NCTC are actually extracted from these messages and placed into the TIDE database.

The TIDE database has evolved overtime as both contractors and government employees have attempted to expand and enhance the database to improve their own use of the system. But none of them appear to have taken into account the overall design or engineering architecture of the entire system. As a result, there are now dozens of tables or categories for identical fields of information making the ability to search or locate key data inefficient, ineffective and more time consuming and difficult than necessary.

In addition, the TIDE database relies on Structured Query Language (SQL), a cumbersome computer code that must utilize complicated sentence structures to query the tables, rows and columns that encompass the TIDE database. Without proper documentation on whether a table contains information on names, addresses, vehicles, license plates or an individual’s nationality, for instance, analysts have no valid mechanism to conduct a search of these “undocumented” tables.

Without a detailed index of the data stored in each table in TIDE, the SQL search engine is blindfolded, unable to locate or identify undocumented data. The current TIDE database is composed of data fields that are presented in 463 separate tables, 295 of which are undocumented, according to one internal Railhead document. As a result, critical terrorist intelligence in the TIDE system may not be searched at all. “Existing TIDE data model is complex, undocumented, and brittle,” the document notes, “which poses significant risk to RLSI [Railhead Lead System Integrator] data migration and modeling.”

GOVERNMENT RESPONSE

The NCTC provided a vague and general response to the allegations, saying the conclusions are:

[I]nconsistent with the facts. The letter implies that there exists a risk to our nation’s security related to the implementation of NCTC’s information technology program, commonly known as Railhead. There has been no degradation in the capability to access, manage and share terrorist information during the life of the Railhead program.

Railhead is a multiple contract venue to support the operations and maintenance of existing IT systems; it replaces and builds new functions for the Center. Fundamentally, it is a series of technology (primarily software) upgrades implemented between now and 2012, rather than all at once to improve mission capabilities for many systems.

[Via an unnamed reader who referred me to the Ars Technica story; I'm always grateful for reader submissions of failed IT projects. Anonymous submissions are welcome. Requests for interview to both the ODNI and the Subcommittee were not returned.]

August 4th, 2008

Failed IT causes major Georgia Blue Cross health privacy breach

Posted by Michael Krigsman @ 7:43 am

Categories: CIO issues, End-user impact, IT issues, Politics, Project failures, Security and privacy

Tags: Blue Cross Blue Shield, Information Technology, Privacy, Health Care, Vertical Industries, Benefits, Healthcare, Security, Enterprise Software, Software

Poor system testing caused a medical records privacy breach affecting over 200,000 members of Georgia Blue Cross and Blue Shield. The case has implications for both consumer privacy and IT’s impact on business operations.

In an emailed statement, Blue Cross spokesperson, Cindy Sanders, said:

[A] mailing of Explanation of Benefits (EOB) letters included EOBs sent to incorrect addresses. These EOBs may have included protected health or personal information. We are currently assessing how many people may have been affected by this incident and we will quickly notify impacted members and send them the correct EOB.

The Atlanta Journal-Constitution reports that Blue Cross blames “a change in the computer system that was not properly tested.” During a phone call, I asked Sanders for details; her vague response, “We are still going through the situation and assessing it right now.”

Commenting on the privacy breach, Georgia’s Insurance Commissioner, John Oxendine, told WALB television:

This is a very serious breach. It’s the worst breach of health care privacy I’ve seen in my 14 years in office. Obviously it was unintentional but it’s a violation of both state and federal law.

THE PROJECT FAILURES ANALYSIS

This case is significant for two reasons: most importantly, it demonstrates the need for stricter regulation regarding how organizations handle confidential consumer data. Additionally, the situation provides a clear example of the link between an organization’s technical practices and overall business operations.

On the privacy side, data breaches resulting from poor practice or carelessness are common. I continue to believe stricter government regulation and enforcement is required to solve this problem. Consumers will continue to be screwed until governments become more involved.

From an IT perspective, this data breach demonstrates how backend systems and procedures, such as software quality assurance, can directly affect business activities. Although we don’t have much detail, it appears Blue Cross didn’t properly test an upgrade or other code change before deployment. We don’t know whether this lapse was a one-time mistake or represents a deeper systemic IT issue inside Blue Cross.

Sanders emailed statement suggests the problem was straightforward enough to identify and fix quickly:

This was an isolated incident and will not impact future EOB mailings. As soon as we became aware of the mailing error, we worked to determine the exact cause and we have made changes to prevent it from happening again in the future.

Since Blue Cross knows why the problem occurred, they should be more forthcoming to the public. Sanders added no new information in response to my follow up request for more details:

There was a system change that was not comprehensively tested. We have already made changes to prevent it from happening in the future.

In my view, that response is completely unhelpful and doesn’t recognize the substantial threat of identity theft many Georgia Blue Cross subscribers now face.

[Via Risks Digest. Image via iStockphoto.]

July 7th, 2008

Daily Mail employee data stolen on laptop

Posted by Michael Krigsman @ 11:11 am

Categories: CIO issues, IT issues, Security and privacy

Tags: Bank, Data, Laptop Computer, Government, Notebooks, Disaster Recovery, Financial Services, Hardware, Notebooks & Tablets, Data Management

A laptop containing confidential information belonging to employees and suppliers of UK newspaper, the Daily Mail, was stolen. According to the Guardian, the missing data consists of name, address, bank account number and bank sort code belonging to affected staff.

The Guardian said:

[Associated Newspapers group finance director, Simon Dyson, and his Northcliffe counterpart, Martyn Hindley said] the laptop was “password protected” but tell recipients to contact their banks and also “consult the government website … for advice on avoiding or dealing with identity theft”.

The letters add: “The likelihood is that this theft was carried out in an opportunistic manner by a thief who will not realise that there is any personal data on the computer and who may just erase what is on the hard drive in order to disguise the fact that the computer is stolen.

Computerworld UK wrote that the Mail blamed a ”’technical issue’ and said they had ‘already strengthened’ security procedures.”

It’s unclear whether or not the data was encrypted; I suspect not, since otherwise the Daily Mail would likely have made that point clear. One can easily imagine the confidential data sitting on a standard XP or Vista laptop with no security enabled aside from standard login passwords.

For the Mail to suggest thieves will “just erase” the data is ridiculous speculation bordering on the ludicrous. Beyond that, I’m sure curious what kind of “technical issue” caused this problem. Must be a darned simple technical loophole if it could be strengthened as quickly as the paper suggests.

Unfortunately, this type of data protection failure has become a common occurrence in both the private sector and government. As I have written before, “It’s time for the government to mandate encryption of personally-identifiable data held by both public and private entities.”

Attempts to contact the Daily Mail for comment were unsuccessful due to time differences between the US and UK.

June 19th, 2008

Lame NHS loses 31,000 patient records

Posted by Michael Krigsman @ 7:13 pm

Categories: CIO issues, IT issues, Politics, Security and privacy

Tags: Patient, Laptop Computer, Lame NHS, National Health Service, Notebooks, Hardware, Notebooks & Tablets, Michael Krigsman

Setting an example for irresponsibility while violating internal Department of Health policies, the UK National Health Service (NHS) has lost unencrypted data on 31,000 patients. The data was lost when thieves stole several NHS laptops.

Computerworld UK reports:

A laptop containing 11,000 patient records was stolen from a GP’s home in Wolverhampton. And St George’s Hospital in London has admitted that six laptops were stolen from its filing cabinets at the start of the month, containing the records of 20,000 patients.

The NHS has a history of losing unencrypted data.

In a rather poor showing of remorse, the NHS explained:

The trust apologised for losing the laptops, and added that it was its policy for laptops not to contain patient data.

“This was done as a temporary measure because of a problem with the computer network. However, the laptops were in a secure area under lock and key,” it said in a statement. “The data was being used to monitor and reduce waiting times at the hospital.”

THE PROJECT FAILURES ANALYSIS

Personal data loss has become an enormous public issue affecting millions of citizens. Until relevant organizational leadership experiences the personal pain of fines and jail sentences, society will continue to face this problem.

• See also: Data loss CEOs should go to jail

I wrote the following when the Bank of New York lost 4.5 million unencrypted customer records:

Strong legislation and strict penalties, including the threat of jail time, is the only way to solve this common problem. If HSBC, the UK’s largest bank, is willing to send out unencrypted data, then this is truly a massive issue. Industry self-policing has not worked and it’s time the government enacted preventive regulation.

Those sentiments remain true today. It’s time for the government to mandate encryption of personally-identifiable data held by both public and private entities.

June 4th, 2008

NY Bank 'loses' 4.5M unencrypted customer records

Posted by Michael Krigsman @ 7:20 am

Categories: CIO issues, IT issues, Security and privacy

Tags: Bank, Tape, BNY Mellon, Identity Theft, Financial Services, Security, Michael Krigsman

In yet another unbelievable story of data irresponsibility, the Bank of New York (BNY) Mellon lost two sets of unencrypted backup tapes containing private data belonging to 4.5 million individuals. Third-party vendors misplaced the tapes during transport to off-site locations. According to the bank, the tapes “included shareowner and plan participant account information, such as name, mailing address, Social Security number, and transaction activity.”

Responding to the bank’s delay in reporting one incident, which took place on February 27, 2008 but was not disclosed until the end of May, Connecticut Governor, Jodi Rell, said:

The disastrous effects of identity theft are virtually instantaneous in today’s computerized world, and the lag time between the theft and the notification only aggravates what is an already outrageous situation.

BNY Mellon’s chief risk officer, Todd Gibbons, said the bank now plans to improve security related to backup tapes. From Computerworld:

To bolster its security controls, the bank said it will now require that any confidential data written on tapes or CDs for transport must be encrypted or transported with undisclosed additional data protections. Further, when “technically feasible,” the bank will demand that encrypted confidential data be delivered to off-site facilities electronically, noted Gibbons.

After exposing 4.5 million people to identity theft, it seems the notion of tape encryption suddenly popped into their heads. In my opinion, BNY Mellon should fire Todd Gibbons immediately for this serious breach of public trust and fiduciary responsibility. Think my perspective is too severe? Then see stories about identity theft victims, such as those described on privacyrights.org.

I continue to believe strong legislation and strict penalties, including the threat of jail time, is the only way to solve this common problem. If HSBC, the UK’s largest bank, is willing to send out unencrypted data, then this is truly a massive issue. Industry self-policing has not worked and it’s time the government enacted preventive regulation.

May 12th, 2008

FBI: Counterfeit Cisco routers risk "IT subversion"

Posted by Michael Krigsman @ 6:05 pm

Categories: CIO issues, Government projects, IT issues, Politics, Security and privacy, Vendor relationships

Tags: Cisco Router, Router, Network, Information Technology, Cisco Systems Inc., Hardware, Routers & Switches, Federal Government, Networking, Network Technology

An internal Federal Bureau of Investigation presentation states that counterfeit Cisco routers imported from China may cause unexpected failures in American networks. The equipment could also leave secure systems open to attack through hidden backdoors. The scope of the problem is broad and results from a complicated supply chain originating in Shen Zhen.

From a narrow project failures perspective, network problems caused by this equipment should be treated as any other hardware malfunction. Of course, the entire concept of third parties using compromised hardware to infiltrate public and private systems in the United States is another matter entirely.

Faulty networking hardware can be a nightmare to troubleshoot and fix. For example, the U.S. Customs and Border Protection (CBP) location at Los Angeles Airport (LAX) suffered a failed router last year; the problem delayed 20,000 passengers before technicians successfully isolated and repaired the issue.

The following slides, pulled from the larger presentation, indicate how seriously the FBI is taking this threat to national security.

April 8th, 2008

HSBC loses data on 370,000 customers; violates security standards

Posted by Michael Krigsman @ 1:39 pm

Categories: CIO issues, End-user impact, IT issues, Project failures, Security and privacy, Uncategorized

Tags: Bank, Security, Disc, Security Standard, HSBC, Financial Services, Michael Krigsman

HSBC, the UK’s largest bank, lost an unencrypted data disc containing the names and insurance information of 370,000 customers. HSBC sent the disc via unregistered postal mail because its usual method of secure electronic data transmission “wasn’t working.”

Network World reports the bank’s response:

“The data, which was password-protected, includes names, life insurance cover levels, dates of birth and whether or not a customer smokes. There is nothing else that could in any way compromise a customer and there is no reason to suppose that the disc has fallen into the wrong hands,” the bank said in a statement.

“We don’t normally send information on hard copy, but usually send electronically through this secure network. But the system wasn’t working the day this information needed to be sent to the reinsurer.”

THE PROJECT FAILURES ANALYSIS

According to Forbes, HSBC is the world’s largest company, meaning it has the resources needed to properly secure customer data. As an axiom, unencrypted confidential data should never be sent through the mail.

The situation is particularly disturbing in light of a similar, and extremely well-publicized, incident at the UK Revenue & Customs (HMRC). In that case, 25 million names were lost when discs were also sent through the mail.

HSBC has demonstrated complete lack of regard for handling secure, confidential, and private customer data. I urge the Information Commissioner’s Office (ICO) to take swift and appropriate action against HSBC.

December 29th, 2007

Data breaches: 2007 IT failure superstar

Posted by Michael Krigsman @ 6:13 pm

Categories: Availability and reliability, CIO issues, End-user impact, Enterprise 2.0, IT issues, Project failures, Research and statistics, Risk, Security and privacy

Tags: Breach, Information Technology, Data Breach, Disaster Recovery, Strategy, Data Management, Management, Michael Krigsman

Data breaches represented the most important category of IT failure during 2007.

The year 2007 saw spectacular failures, ranging from improperly-paid teachers at Arizona State University (ASU) and the Los Angeles Unified School District (LAUSD), to a massive implementation problem at the UK National Health Service (NHS), which one observer called the “greatest IT disaster in history.” Despite the impact of these high-profile failures on victims, the number of people affected is minuscule compared to the cumulative effect of data breaches.

The Privacy Rights Clearinghouse conservatively estimates over 216 million privacy records were breached in the period 2005-2007, in the United States alone. According to attrition.org, which maintains a database that researchers can download to conduct their own analysis, approximately 165 million records were compromised during 2007. While most breaches occurred in the US, incidents were also reported in Australia, Canada, Germany, UK, Japan, Netherlands, Norway, and Sweden.

The downloadable attrition.org database lists the following causes for data breaches during 2007:

• Improper document disposal
• Fraud
• Hacking
• Lost computers and disk drives
• Lost and stolen media and tapes
• Lost postal mail
• Web breaches

Unlike ordinary IT failures, which generally affect a relatively bounded group, such as employees of a particular company, even a single breach can put millions of people at risk and cut across every segment of society.

The recent loss of two data discs belonging to UK Revenue and Customs (HMRC) is a case in point. The loss of these discs, which contained personal information belonging to 25 million people, affected every family in the UK with a child under the age of 16. The scope of this breach was such that the British prime minister was forced to apologize.

Stopping data breaches will likely be far more difficult than preventing IT failures, which can be controlled by applying improved implementation methodologies and processes. Many breaches, such as the HMRC case, ultimately arise because organizations do not recognize the true value of the data under their protection. As we all know, changing such deeply held attitudes in any organization is usually a long-term project.

Given these attitudes, improving the worldwide data breach situation will require a combination of top down change and government regulation:

• Senior leaders from both private companies and government agencies must treat data protection policies as strategic and devote resources at a level commensurate with this status. Bringing forth such a cultural change in attitudes toward custodial data will take years.
• Governments should demand stiff penalties from organizations that lose personal data, regardless of how that data is lost. In addition, regulators should enforce more timely public disclosure, and increased transparency, whenever breaches occur.

Although these steps will reduce the prevalence of data breaches, we are likely to see many more in 2008.

December 19th, 2007

Twitter is dangerous

Posted by Michael Krigsman @ 5:02 pm

Categories: Enterprise 2.0, Failure 2.0, IT issues, Risk, Security and privacy, Tools

Tags: Twitter, Instant Messaging, Productivity, Internet, Online Communications, Michael Krigsman

Twitter is rapidly becoming a serious threat to corporate information protection. The program’s great strength — many-to-many messaging — becomes its great weakness in this context.

Imagine this scenario: 20 people are in a confidential meeting, one of them using Twitter. This attendee broadcasts an off-hand “tweet” (Twitter comment) to his or her “followers” (Twitter friends). With traditional instant messaging, that message would be received by perhaps one or two others. With Twitter, that comment may be seen by 10, 100, 1000, or more followers.

Why it matters? Twitter has the power to turn groups of innocent bystanders into instant analysts. Even seemingly innocuous comments, when put before a large group of people, can be analyzed more rapidly, and in more depth, than you might expect. This can easily cause ranges of unintended, highly negative, consequences.

If you’re running corporate IT, what should you do? You’ve got a few choices:

1. Pretend the problem doesn’t exist. Not being one to advocate head-in-sand methods, I can’t recommend this approach.
2. Block, or monitor, Twitter, as you might do with traditional instant messaging programs, such as Yahoo or AIM. It’s a tried and true method - not the best, but it works.
3. Acknowledge the inevitable, and establish clear information sharing policies and guidelines. In the long run users, like water, will seek their own level. In other words, users will eventually adopt the tools they want, whether you want them to or not. The wise among us will recognize this certainty.

The solution: be prepared to strongly enforce information-sharing policies. If confidential information is being shared, even innocently, question the judgment of the sharer.

By the way, if you think Twitter isn’t mainstream enough to matter, think again. It’s currently got almost 700,000 users, many of them influential early adopters. Twitter isn’t going away, and like all tools, it can be used for both good and evil. Balancing Twitter’s dangers and benefits may not be easy, but you’d better start thinking about it today.

Disclaimer: I love Twitter, so it pains me to write this. If you want to follow me on Twitter, click here.