Brian Jackson - Fotolia
The National Guard Bureau (NGB) recently reported an accidental data exposure that affected 868,000 current and former employees of the U.S. Army National Guard, further demonstrating the security dangers of employee errors.
A mishap in the transfer of files containing personally identifiable information (PII) into a non-approved Department of Defense (DoD) environment led the NGB to investigate and notify the Office of the Secretary of Defense (OSD). The DoD's investigation of the incident, which began in December 2014, revealed that the breach was not the result of malicious actions and that the incident had no relation to the Office of Personnel Management (OPM) breach that has haunted headlines for the majority of this month.
According to the NGB's announcement, data files containing the individual names, social security numbers, home addresses and dates of birth were exposed in the breach. Army National Guard members that served anytime since 2004 are affected, according to an FAQ on the National Guard website.
"The data that was sent to the contractor's data center was believed to be protected with the commensurate security measures," Kurt Rauschenberg, public affairs specialist at the NGB, wrote to SearchSecurity in an email. "However, because it was transferred from the .mil to a contractor facility and not monitored by a DoD Computer Network Defense Service Provider, this incident is considered a breach."
All personal data within the organization is required to be encrypted, according to Rauschenberg, but this information was not. He explained that although technically the incident was a breach, it was more an example of poor security policy.
"The information transferred was being analyzed for budget forecasts by National Guard Bureau analysts," Rauschenberg said. "At the time of the transfer, the data was downloaded to a server off-site from the National Guard Bureau."
Security breaches in the government are not a new thing. According to Verizon's 2015 Data Breach Investigations Report, 50,315 security incidents have occurred in the public sector in the past year. But employee errors have led to some notable data exposure incidents this year.
Earlier this year, Republican presidential candidate Jeb Bush accidentally exposed PII for 12,000 people, when he disclosed his email records in the name of transparency. The California Department of Business Oversight accidentally disclosed the PII of investment advisors and brokers-dealers in March. And earlier this month, a similar exposure of data occurred in India, when a government agency accidentally uploaded personal information on to Google Drive.
"As with years past, errors made by internal staff, especially system administrators who were the prime actors in over 60% of incidents, represent a significant volume of breaches and records," according to the Verizon report, which added that sensitive information reaching the wrong recipients amounted to 30% of these mistakes.
The NGB took full responsibility for the mishap, since the data was transferred to a government contractor under the oversight of the NGB.
Rauschenberg said the NGB's decision to inform the public of the incident was "the right thing to do regardless of the low risk involved."