The breach of National Archives and Records Administration data in 2008 is an unusual case because the information security breach was not caused by criminal activity.
In 2008, a hard drive containing data stored by the National Archive and Records Administration (NARA) broke. Despite the fact it contained the sensitive data, including the names, addresses, and Social Security information of millions of U.S military veterans, it was sent to a government contractor for repair.
When the contractor tasked with repairing the hard drive determined it was beyond repair, the hard drive should have been immediately destroyed on site. This would have ensured that data could not be leaked to third parties. However, the hard drive was then sent off to be scrapped, which made it impossible to determine what happened to it and whether it was actually destroyed or not.
How many records were accessed?
The records of 76 million military veterans were leaked in this information security breach.
What’s happened since?
After the breach, complaints were made to NARA, who launched an investigation. Although it did not think that the data stored on the hard drive was breached, it has since amended its policies, so that all broken and malfunctioning hard drives, data storage disks etc. are destroyed immediately if they contain any sensitive personal data.
This case highlighted an aspect of data security which is so often overlooked. Companies spend millions of dollars investing in encryption and information security software, but all too often neglect to think about the hardware storing that data. Leaving a hard drive lying around or failing to dispose of one correctly is just as likely to lead to a serious breach in information security as a cyber-attack or malware infection.