The National Archives and Records Administration (NARA) are investigating a potential data breach involving a lost hard drive that could affect 70 million records of US military veterans.
A report by Wired claimed that a defective hard drive that powered eVetRecs, the system veterans use to request copies of their health records and discharge papers, was sent by an agency back to its vendor for repair and recycling without first destroying the data.
When the drive failed in November of last year, the agency returned the drive to GMRI, the contractor that sold it to them for repair. GMRI determined it could not be fixed, and ultimately passed it to another firm to be recycled.
However, the NARA said that the lost drive is not a problem because its contractors signed privacy promises in their contracts, though the agency has since changed its policy to require that sensitive media be destroyed by NARA itself.
Writing on the IDtheftsecurity.com blog, consultant Robert Siciliano claimed that the hard drive should have never left the facility and should have been destroyed.
Siciliano said: “A $2,000 hard drive with millions of social security numbers is worth millions, maybe billions of dollars if it gets into the hands of a criminal. The ‘loss' of data like this can cost a government agency or corporation millions to respond to the breach. The Pentagon requires that old or defective drives be de-magnified or destroyed.
“With this data, a thief can open a new account such as a credit card and have the card sent to a different address. This is true identity theft. New account fraud destroys the victim's credit and is a mess to clean up.
“Government intervention to protect you from new account fraud is probably not going to happen any time soon, if ever. The responsibility is the citizens to protect themselves.”