http://www.informationweek.com/news/showArticle.jhtml?articleID=206905232 By K.C. Jones InformationWeek March 21, 2008 Access to personal passport information from presidential hopefuls Sens. Barack Obama, Hillary Rodham Clinton, and John McCain may not have been preventable, the U.S. State Department said this week. The incident highlights the need for greater data access controls for employees and contractors in the IT sector and the government. Three State Department contractors had taken unauthorized looks at the electronic files of each of the candidates, although each had clearance to use the database, Undersecretary for Management Patrick F. Kennedy said Thursday. Obama's file was accessed three times: Jan. 9, Feb. 12, and March 14. It was disclosed later that the files of Clinton and McCain were also reviewed by the contractors. Two workers were fired. State Department leaders have said they believe that the workers accessed the files out of curiosity. Secretary of State Condoleezza Rice on Friday issued an apology to Obama and Clinton and was scheduled to speak with McCain. Kennedy said during a press briefing Thursday that all three people suspected of viewing the candidates' passport information had access to the database for one reason or another. He declined to state their job titles or explain specific functions that required the access, except to say that State Department workers must be able to look up information when people call about their passports. "They were in a variety of functions that required them, in order to do their tasks, to have the access to the computer system," he said. He also said it was impossible to provide that access and simultaneously deny it to prevent people from snooping for no reason. Kennedy did say, however, that the computer monitoring system (PDF) worked properly by flagging the workers' activities after the fact. That's when supervisors were notified and took action, he said. The Security Technology Worked "One thing I want to emphasize, in each of these three cases, the system that was set up to detect any unauthorized access of these kinds of records worked," Kennedy said. "These unauthorized accesses were detected by the State Department and they were immediately acted upon. In each of these cases, the unauthorized access was caught by a monitoring system that was tripped when, in each of these cases, an employee accessed the record of a high-profile individual. When the monitoring system is tripped, we immediately seek an explanation for the record access. If the explanation is not satisfactory, the supervisor is notified. And that is the case in each of these three individual cases." Kennedy has acknowledged, however, that the incidents should have been reported higher up the chain of command by insiders. Reporters first brought the data breach to the attention of senior members of the State Department. The Bureau of Consular Affairs is in charge of monitoring database access, Kennedy said. A department spokeswoman contacted Friday did not know immediately who designed the database or the monitoring system, which, according to Kennedy, has been in place for several years. It appears unlikely that technology is to blame for the invasion of the candidates' privacy, according to Kennedy's statements. Rather, it appears that the problem stems from a breach of trust by three of more than 50,000 employees. The State Department restricts access to passport records, performs background checks on employees and contractors, and trains workers about privacy policies. Each time a worker logs on to the system, the worker acknowledges that the records are protected by the Privacy Act and that they are only available on a need-to-know basis, Kennedy said. Transaction logs provide a record of activity. "They were supposed to use their access to -- for the purposes of the task that they were assigned," Kennedy said during the briefing. "They violated that trust, and that is, and they were caught in the monitoring system that we have. When you produce, as I said earlier, when you produce 18 million passports a year and there are numbers of passports that are lost every year, people call in and ask, "Where is my passport in the system?" The Office of the Inspector General is investigating the incident, and authorities have not ruled out involvement by the Department of Justice. The logical areas of examination for both entities: e-mail folders, hard drives, and servers, but Kennedy said he hasn't told investigators where to look because he doesn't tell them how to do their job. Kennedy said that the State Department will consider whether it's possible to "lock out" access to high-profile individuals' records, while still allowing workers to respond to inquiries. The information contained in passport files comes from applications and may contain additional information gleaned from research used to determine whether issue the passport. It is shared with a variety of law enforcement and other agencies for investigation. One of the more sensitive pieces of information contained in the file is a Social Security number, which can be used for identity theft or to access more information from other sources. ___________________________________________________ Subscribe to InfoSec News http://www.infosecnews.org/mailman/listinfo/isn
This archive was generated by hypermail 2.1.3 : Mon Mar 24 2008 - 11:05:29 PST