You probably have no idea the degree to which the IT people in and around the military maximize their belief that those simpleton sailors not in the IT circle of trust are sheeple, and that they, the IT gods are, each and every one, the grand saviors of the Republic.
That sort of arrogance begets an unprecedented sense of entitlement. Coupled with a severe dependence on Microsoft Tuesday updates, and a general inability to recognize an SQL query (not making that up), and you have a real problem.
I would not doubt, for a second, that 134k SSNs were on some contractor's laptop.
>You probably have no idea the degree to which the IT people in and around the military maximize their belief that those simpleton sailors not in the IT circle of trust are sheeple, and that they, the IT gods are, each and every one, the grand saviors of the Republic.
You're posting on HN. I'd wager that a lot of us are or have been guilty of a bias like that.
I can imagine this happening very easily. Let's say a contractor is helping add a module to some web application...
"It worked on test, but not in production. It's supposed to be live already, what's the holdup? Fine, I'm not supposed to do this but I'll give him access to the live-server, read only, of course, since you have security clearance anyway. Plus, the data is in the DB, not on the application server. Ok, so now you have the whole /deploy folder, find the issue..."
"What do you mean you lost you laptop on the metro this morning? Fuck! Ok, well you only had access to the /deploy folder, but now I'm required to audit your laptop's backup to see if you had anything important, what a pain in the ass. Wait, what's this? There are all these XML files with personnel data in them in /deploy/api/xml/!!!!! Those files are supposed to be processed and removed from the web server, not stored! Shit!"
It was probably the MS Access database from BUPERS. It gets mailed to every command (or downloaded nowadays) on a monthly basis. It has everything on everyone. SSN, names, addresses, ranks, birthdays, etc. At least 50 fields of personnel info for almost everyone in the Navy. And it's not classified, otherwise they wouldn't be able to distribute it so widely (although they could at least make it Secret since most admin have Secret clearance, but most admin also work on unclas machines, so I guess not).
Source - I was a Yeoman in the Navy and had access to this. I already didn't think much of the Navy's PII procedures, but seeing this thing for the first time blew me away. It shouldn't exist.
HP does government consulting, it's quite likely they were working on an application that needed access to that data. When I was a civilian working in Navy medicine (building apps), that was often the case.
As a Navy physician trying to get IRB-approved research done, could you kindly share what kind of app needs a lone developer to have 134k SSNs on a laptop?
There are lots of very legitimate reasons, but a very common example might be vendor upgrades of core software for coding, integrations, dictation, etc. Fairly standard procedure to do (at least) a one off just in case backup of a database before running a big code update.
Haha. Okay. I would hazard a guess that you haven't worked on real world apps then. Users will do things that you cannot predict. They will break things like never before.
I've written plenty of code that checks out against out test environment, but it'll choke on a weird thing in production. You NEED access to real data if you're going to make any progress in that scenario.
Yep, precisely. And it's not just the users that fuck up either. Sometimes, other systems you have to integrate with are also poorly designed and don't have proper control mechanisms in place. For instance, I'm working on integrating with another system right now where the zip_code field has values like "don't know". You're never going to be able to cover for things like that unless you have access to the real dataset.
You're not living in the real world. Users do weird things.
At some point someone will legally change their name to an emoji and it'll break a whole load of systems. Nobody saw that coming when they originally built some middleware in 1998.
The real question is why not? Its not like HP will be fined to the tune of tens of millions for the breach, at best they will get stern reprimand letter.
That sort of arrogance begets an unprecedented sense of entitlement. Coupled with a severe dependence on Microsoft Tuesday updates, and a general inability to recognize an SQL query (not making that up), and you have a real problem.
I would not doubt, for a second, that 134k SSNs were on some contractor's laptop.