By Jason Miller
The Armys Accessions Command in Ft. Monroe, Va., reported a laptop
computer with personal information on 4,600 scholarship applicants for
the Reserve Officer Training Corps went missing Oct. 23.
The command just yesterday let the House Government Reform Committee
know that the notebook went missing. The committee asked all agencies to
report all data breaches since Jan. 1, 2003. Agencies had until July 24
to report their information, but the committee still is receiving
reports of data breaches.
Paul Boyce, an Army spokesman, said the data was password protected
using the Common Access Card. This means whoever allegedly stole the
laptop would need the card and the users personal identification number
to access the computer. However, the data itself was not encrypted.
This was the first time the Army has reported a data breach, according
to committee chairman Rep. Tom Davis (R-Va.).
Davis, speaking today at an IT security event in Falls Church, Va.,
sponsored by the Information Technology Association of America, an
industry trade organization in Arlington, Va., said the Army either has
been that good or lucky or their information is incomplete.
The Veterans Affairs Department incident earlier this year, when the
laptop was stolen, "raised the threshold of awareness to just how
vulnerable we are."
"There is a need for proactive breach reporting requirements," Davis
said. "The history of withholding [news of] these events has to stop."
An amendment spelling out reporting requirements was included in the VA
bill passed by the House just before the election recess, he added.
The lost laptop comes about a month after Army CIO Lt. Gen. Stephen
Boutelle signed a memo outlining steps commands should take to protect
In a memo to members of Congress about the missing laptop, the Army said
the notebook contained social security numbers, addresses, dates of
birth and other personal identifiable information of ROTC applicants.
The Army said there is an ongoing investigation by the Criminal
Investigation Command as well as a Commanders inquiry. Additionally, the
Training and Doctrine Command reviewed physical security measures and
implemented new ones to help prevent a recurrence, the statement to
TRADOC also will send out a letter notifying applicants of possible data
breach as well as monitoring and protective steps that can be taken
against identity theft.
In the memo to Army commands, Boutelle directed them to immediately
implement data-at-rest remediation procedures for all mobile information
systems. These include:
* Identifying and labeling laptops and USB devices designed for travel
support, and securing the most vulnerable users and systems first.
* Extend existing encryption capabilities to all systems at risk.
* If a command does not have encryption capabilities, use Microsoft
Corp.s Windows XP Pro Encrypting File System functions coupled with
the commands Active Directory management structure to secure data
through a centrally managed certificate issuance encrypting file
* If the command does not have Microsofts product, the should use either
whole disk encryption tools or file system encryption tools from
Credant Technologies Inc. of Addison, Texas, or PointSec Mobile
Technologies of Lisle, Ill., which are approved products.
Boutelle also said the pilot data encryption program going on in the
headquarters department will help develop the requirements and business
case for a contract for an interim enterprise solution that addresses
all users and systems by Jan. 1, 2007. This could be an enterprisewide
licensing deal with Credant, PointSec, Microsoft or all three.
The Army has been very proactive in this, said Pete Morrison, Credants
director of federal operations. The have done a good job in providing
guidance. This has been important to them before [the Office of
Management and Budget] mandate or the guy at the VA lost the laptop. The
Army takes this stuff seriously.
GCN senior writer Patience Wait contributed to this story.
Visit the InfoSec News store!