Early this morning, I came across an AP story about a breach of the NAPHSIS EVVE system. At this point, it looks like it has been taken down and I can’t find it anywhere on the Web – I could imagine national security folks wanting to contain the PR damage. I’ll reproduce it below from my cache. If anyone can find it on the Web – especially an update – please let me know in the comments.
I think the implication of this are huge. Beyond billions in welfare fraud going to whatever criminal organization might have placed this software, we have a security hole a mile wide in the passport issuance system, social security cards, and drivers’ licenses. Good thing this has been caught now. Imagine if REAL ID were in place and we were relying on this system for ID security.
Vital Events Database Hacked,
Billions in Benefits, Passport Security at Stake
By TAMMY McCLURE
The Associated Press
Sunday, April 1, 2007; 2:49 AM
NEW YORK — The National Association for Public Health
Statistics and Information Systems (NAPHSIS) warned late Saturday that a key data
system it maintains has been hacked.
Billions in benefits may have been distributed by federal
and state agencies relying on the system. The security breach may have allowed
terrorists and criminal organizations to wrongly acquire driver’s licenses, U.S. passports, and Social Security cards.
“From the moment we discovered the attack, we began
notifying our users of the problem and we have taken every step we can to
address it,” said Garland Land, Executive Director of NAPHSIS in a written
statement. “We will continue to keep benefits agencies, the State Department,
and the Secret Service apprised of the situation.”
Officials from the government agencies involved did not
return calls over the weekend. Many rely on the Electronic Verification of
Vital Events system for proof of age, proof of citizenship, identification for
employment purposes, to issue benefits or other documents, and to assist in
determining eligibility for public programs or benefits.
“This is a frightening illustration that when centralized data
systems are compromised, it can have cascading effects,” said Jamie Caliper at
data security expert PGP. “Depending on the nature and scope of the hack, there
could be thousands of falsely issued documents, and billions in benefits
distributed based on fraud.”
Other than a written statement released late Friday, NAPHSIS
officials have refused comment. The employee of a vendor revealed the breach
to the Associated Press Friday, saying that unauthorized software had been
operating within the NAPHSIS vital events system for an indeterminate length of
time. This follows the revelation last week of a similar occurrence leading to
the breach of more than 45 million credit and debit cards.
© 2007 The