About the Show

Anchored by Jake Tapper, The Lead airs at 4 p.m. ET on CNN.

Anchored by Jake Tapper, The Lead airs at 4 p.m. ET on CNN.

On the Next Episode of The Lead

We've moved! Come join us at our new show page.

We've moved! Come join us at our new show page.

September 15th, 2014
04:00 PM ET

Government agencies not securing your data, or your kids'

By CNN chief Washington correspondent Jake Tapper

(CNN) – You might think that your government is vigilant when it comes to securing your personal information, or that of your children. You would be wrong.

Hackers have discovered one of the biggest potential security holes of the modern era, one that can leave data exposed to any hacker willing to find it. And in at least one instance, that vulnerability has resulted in a data breach impacting almost three dozen children and their families.

"We estimated over 100,000 identities could have been compromised at this point," said hacker Bryan Seely, a tech expert who told his story to CNN in an interview that will air on CNN's "The Lead with Jake Tapper" on Monday.

Seely and fellow hacker Ben Caudill discovered the security hole, uncovering intimate details like children's school records, including detailed bus route information; arrest and prosecution information from a major Midwestern city; and the real names and numbers of intelligence agents visiting a major American port.

"We knew immediately what we found was serious. Within a couple of minutes we found Social Security numbers, dates of birth, private student records, transcripts, grades," said Caudill.

Seely and Caudill both work at Rhino Security Labs. They are also self-described ethical hackers, using their computer skills for good, identifying vulnerabilities in applications and networks. Seely, a former U.S. Marine, made headlines earlier this year with a hack of Google Maps that allowed him to listen in on the phone calls of the FBI and the Secret Service.

"We take that information, privately disclose it to law enforcement, to the relevant parties, and then work to get those issues re-mediated," said Caudill.

This month, Seely and Caudill – along with Rhino Security Labs' lead researcher Dana Taylor – found that a weakness software giant Oracle discovered in 2012 – and provided a fix for – remains a huge vulnerability to any customer that missed or ignored the fix.

CNN asked Oracle about all these customers who still had vulnerabilities in their systems.

"We identified this issue two years ago. It was not a product coding defect allowing hackers to bypass security mechanisms. Instead, the product included a configuration setting allowing customers to disable security checks. Oracle identified that customers were leaving this setting open and immediately issued a patch that made the default setting for customers secure. This patch was issued as part of our regularly scheduled Critical Patch Update customers know to apply every quarter. Oracle notified all of our customers directly that they should apply patch. This process is commonplace in the industry,” said Oracle spokesperson Deborah Hellinger.

Seely says Oracle owes more to its customers in terms of warning them about the potential breaches.

"Could they call everyone? Probably. It might take a little while, but is it the right thing to do, versus just posting a blog entry and just hoping that people fix it and calling it, 'Hey we’re good?' I think there’s a middle ground," said Seely.

At least two of the Big Ten universities are at risk with fully exposed transcript information. At Meridian Community College in Mississippi, student names, Social Security numbers, dates of birth, grades, transcripts, dorm room numbers, and salaries for more than 100,000 students and faculty were laid bare – a goldmine in this era of identity theft. The college has since fixed the security weakness.

"You could completely steal someone’s identity, and assume someone else, and take money out of their accounts. You could file legal documentation, you could take out business loans – the sky’s the limit," said Seely.

The Texas Department of Family and Protective Services is also at risk.

"That is a department that had records of parents, the children, the situation of the living environment of the child, things that the child had gone through," said Seely. "It’s a little rattling."

The department's case notes, Social Security numbers, dates of birth, and medical and court information from more than 600,000 cases involving more than one million people were exposed.

"The database has been shut down, and testing so far has found a limited data breach affecting fewer than 30 individuals. Anyone whose information was compromised is being notified and credit monitoring/identity restoration services will be provided at state expense,” the department said in a statement to CNN.

Seely and Caudill are working with the FBI to alert organizations that are still vulnerable, and help patch their security systems.

Even the most secretive organizations are vulnerable.

"Even the government doesn't have the same stringent standards and the same IT set ups at every base. So then all of a sudden you have got one agency trusting another one, and everyone assumes they’re on the same page. And all of a sudden you're walking down the street, and your driver’s license is blowing in the wind," said Seely.

When 21 members of the Defense Intelligence Agency toured a major American port, they left crucial information behind.

"The visitor ID number on this list is their driver’s license number," Seely said, showing CNN his findings on a computer screen. "These are real people, and this is potentially compromising."

CNN is not identifying the schools and government agencies that have yet to fix this security hole, including:

• The port, a high value homeland security site that showed identifying information of the highly sensitive personnel including personnel names and drivers’ license information for Defense Intelligence Agency officials, as well as foreign visitors’ passport numbers, State Department officials' identification, and diplomats with consulate identification numbers;

• A secretary of state’s office for a large Midwestern state involving business licenses, LLC formation documents, EIN numbers, tax identification, and more;

• An elections bureau for a large state involving financial information, campaign donations, and amounts;

• The names, photographs, bus routes, Social Security numbers, dates of birth, grades, transcripts, and medical information of students kindergarten through 12th grade in a large county Mid-Atlantic public school system, as well as their parents’ Social Security information, addresses, names, and marital status;

• From a court system in a major Midwestern city: convictions, dockets, DUI arrests, Social Security numbers, case notes and more;

• From a Big Ten school: student loan and accounting information for students;

• From another Big Ten school: applicants’ information, students’ names, Social Security numbers, dates of birth, personal information, schedules, grades, tests scores;

• From a Department of Labor in a Western state: personal information including names, dates of birth, Social Security numbers and more.

This incident comes on the heels of other major security breaches at Target, Home Depot, and JP Morgan involving credit card information.

"This is somewhat bigger than, than some of the major data breaches we've seen in the credit card industry," said Caudill. "Even though there’s many fewer records here, only a few million, we’re talking about Social Security numbers, date of births, everything you need for identity theft, as opposed to credit card theft."

"You can always change your credit card, it’s a trivial process at this point with many banks. You can't change your Social Security number," said Caudill.

CNN's Kim Berryman contributed to this report

Posted by
Filed under: National Lead
soundoff (No Responses)

Comments are closed.