Online intruder gains access to Air Force personnel records
Using a legitimate user login, unidentified person viewed tens of thousands of records that include birth dates and Social Security numbers.
About 33,000 Air Force personnel, almost all of them officers, have been exposed to potential identity theft after a security breach involving an online personnel system.
Personnel records in the Air Force's Assignment Management System for about half of the service's officer corps were accessed by an unidentified person, the Air Force said in a statement.
The breach occurred during May and June. Air Force officials said that no instances of identity theft have been linked to the break-in. But experts warn that identity thieves often wait up to a year before using the data they obtain.
The system, managed by the Air Force Personnel Center at Randolph Air Force Base in Texas, is used to administer the process of assigning personnel to posts and for other career management functions. The system includes birth dates and Social Security numbers, but not pay rates, personal addresses, phone numbers or information on family members.
Officials at the personnel center discovered the breach after noticing unusually high activity on a single user's account in June. The perpetrator used a legitimate user login and password to access and download the personal data. Once the unauthorized access was discovered, the system was taken down and Air Force officials conducted a complete security review.
The Air Force said it delayed notifying those whose records were affected to allow law enforcement officials the chance to catch the perpetrator.
"We notified airmen as quickly as we could, while still following criminal investigation procedures," said Maj. Gen. Tony Przybyslawski, commander of the Air Force Personnel Center. "We've taken steps to increase our system security. We're working with all Air Force agencies to identify vulnerabilities. We must keep our data protected."
Przybyslawski encouraged those affected by the break-in to file a fraud alert with the three chief credit bureaus: Equifax, Experian and TransUnion. The alert flags the person's credit report and they are contacted if any new accounts are made in their name. The alert lasts up to ninety days. Przybyslawski also said airmen could get free credit reports from any of the three major credit bureaus under the Fair Credit Reporting Act.
Beth Givens, director of the San Diego-based Privacy Rights Clearinghouse, said service members overseas can establish an "active-duty alert" that places a notation on their credit reports, notifying potential creditors of possible fraud while they are overseas.
"Those people will never know if or when a thief decides to use their Social Security number for fraudulent applications for credit," Given said. "This incident just shows how vulnerable computer systems are and why it's important to keep them as secure as possible against intrusion."
In a letter to Air Force personnel, Przybyslawski said that a "wall-to-wall review" of all personnel data systems is being conducted to maximize security. "This may cause some inconvenience to users as we increase our access requirements," he wrote, "but in the long run it will be our best way to protect our members against theft of personal information."