Early this morning, I came across an AP story about a breach of the NAPHSIS EVVE system. At this point, it looks like it has been taken down and I can’t find it anywhere on the Web – I could imagine national security folks wanting to contain the PR damage. I’ll reproduce it below from my cache. If anyone can find it on the Web – especially an update – please let me know in the comments.
I think the implication of this are huge. Beyond billions in welfare fraud going to whatever criminal organization might have placed this software, we have a security hole a mile wide in the passport issuance system, social security cards, and drivers’ licenses. Good thing this has been caught now. Imagine if REAL ID were in place and we were relying on this system for ID security.
Vital Events Database Hacked, Billions in Benefits, Passport Security at Stake
By TAMMY McCLURE
The Associated Press
Sunday, April 1, 2007; 2:49 AM
NEW YORK — The National Association for Public Health Statistics and Information Systems (NAPHSIS) warned late Saturday that a key data system it maintains has been hacked.
Billions in benefits may have been distributed by federal and state agencies relying on the system. The security breach may have allowed terrorists and criminal organizations to wrongly acquire driver’s licenses, U.S. passports, and Social Security cards.
“From the moment we discovered the attack, we began notifying our users of the problem and we have taken every step we can to address it,” said Garland Land, Executive Director of NAPHSIS in a written statement. “We will continue to keep benefits agencies, the State Department, and the Secret Service apprised of the situation.”
Officials from the government agencies involved did not return calls over the weekend. Many rely on the Electronic Verification of Vital Events system for proof of age, proof of citizenship, identification for employment purposes, to issue benefits or other documents, and to assist in determining eligibility for public programs or benefits.
“This is a frightening illustration that when centralized data systems are compromised, it can have cascading effects,” said Jamie Caliper at data security expert PGP. “Depending on the nature and scope of the hack, there could be thousands of falsely issued documents, and billions in benefits distributed based on fraud.”
Other than a written statement released late Friday, NAPHSIS officials have refused comment. The employee of a vendor revealed the breach to the Associated Press Friday, saying that unauthorized software had been operating within the NAPHSIS vital events system for an indeterminate length of time. This follows the revelation last week of a similar occurrence leading to the breach of more than 45 million credit and debit cards.
© 2007 The Associated Press