US soldiers’ data being downloaded overseas

Experts say availability of such data increases threat of identity theft, retaliation against troops on sensitive missions

LAHORE: The personal data of tens of thousands of US soldiers continue to be downloaded by unauthorised computer users, the Washington Post has reported, despite the US army’s assurances that it would try to fix the problem.

Tiversa, a private firm that scours the Internet for sensitive data, says it discovered the fact while conducting research for private clients. It found, as recently as this week, documents containing Social Security numbers, blood types, cell-phone numbers, e-mail addresses, and the names of soldiers’ spouses and children.

Experts say the availability of such data exacerbates the threat of identity theft and retaliation against troops on sensitive missions. In addition to using the information to drain financial accounts, hackers could pose as soldiers in an effort to ferret out sensitive data, including passwords to government systems.

House Oversight and Government Reform Committee Chairman Rep Edolphus Towns said such disclosures represented a “major security risk” to the service members and the military

The company found the sensitive documents by using “peer to peer” file-sharing software, which can be easily downloaded on the Internet and which allows computer users to share music or other files. Many computer users do not realise that it can make the contents of their computers available to others.

Towns, who is drafting legislation to address the problems raised by the peer-to-peer technology, said what was striking about these file-sharing leaks “is that these aren’t one-time events. Once this software is installed and files are leaked, the leaking is continuous”.

In 2003, the army instituted policies barring the unauthorised use of peer-to-peer software. The Pentagon did it in 2004, and defence contractors have followed suit. But critics say policies often are not enforced.

Of particular concern to security experts is the discovery of personal information about soldiers whose mission area is Africa.

A spokeswoman for the Army Special Operations Command confirmed the data breach but described it as an isolated incident.

Tiversa saw Special Forces data on servers in Pakistan in May and immediately notified military investigators.

In April 2008, it spotted spreadsheets from Army master sergeants’ promotion lists containing the personal data of 60,000 soldiers, downloaded in foreign countries.

Gary Tallman, an Army spokesman, said it was “troubling” that personal information continued to appear on file-sharing networks. Steven Shirley, head of the Defence Department’s Cyber Crime Centre, said “even very tech-savvy organisations... have issues with peer-to-peer applications”.

Towns’s committee found that contractor documents on major weapons programmes such as the F-35 Joint Strike Fighter had found their way onto these networks and have been accessed by computer users in China and other countries.

Some of these documents, while not marked “classified,” were restricted under the Arms Export Control Act of 1976, or the International Traffic in Arms Regulations (ITAR), which prohibit release of the information to unauthorised foreigners. Violation of ITAR can result in a fine of up to $1 million or 10 years in prison or both, and a civil penalty of up to $500,000 for each violation.

Industry has long complained that ITAR is too broad.

Jeffery Adams, a spokesman for Lockheed Martin, which is building the Air Force’s Joint Strike Fighter, said the company is “aware of the vulnerabilities peer-to-peer networks present to the corporation”, and so prohibits employees from using such networks on company systems. He declined to comment on the F-35 documents. Link...