- Filed Under
Army will offer a year of credit-monitoring services to protect the 31 Social Security numbers of the Medal of Honor and Distinguished Service Cross recipients that were posted online last month.
The Army announced it began to inform the affected people or their next of kin on Oct. 11, after inquiries from Army Times, which first reported the breach on Sept. 28, and Rep. Duncan Hunter, R.-Calif., who wrote a letter dated Oct. 11 to urge Army Secretary John McHugh to take swifter action.
"It is critical that this issue is resolved immediately and the soldiers and families comprising the 31 individuals whose information was released are immediately informed, at the very least, of the data breach and provided every reassurance that the Army is taking the necessary action," Hunter, a member of the House Armed Services Committee who served in Iraq and Afghanistan as a Marine Corps officer, said in the letter.
The exposed database — since removed — contained 518 records of the Medal of Honor, Distinguished Service Cross and Silver Star recipients for actions since the global war on terror began in 2001. In the database, Social Security numbers appeared for 31 soldiers, the six MoH and 25 DSC recipients, but none of the Silver Star recipients. Doug Sterner, curator of the Military Times "Hall of Valor," uncovered the exposed database.
The Army is continuing to investigate how the database and sensitive information http://www.armytimes.com/news/2012/09/army-decorated-soldiers-data-breach-092812w/">ended up online, Col. Jonathan Withington, an Army spokesman at the Pentagon, told Army Times on Oct. 11. The exposed file was not an Army document, but the Army had provided raw data about award recipients to the Alexandria, Va., creative services firm Brightline, which may have been responsible for posting it.
Erik Muendel, chief executive officer of Brightline, told Army Times last month his company was not authorized to handle sensitive information and he was also investigating the incident. He did not immediately return a call seeking comment for this story.
According to Withington, Human Resources Command began sending notification letters on Oct. 11, and The Adjutant General, which is the section of HRC that governs awards, will follow up by telephone.
"The Army takes this matter seriously and took immediate corrective action," Withington said.
According to a 2009 Army policy memo, the loss, theft or compromise of "personally identifiable information," or PII, must be reported to the impacted individuals within 10 days, if the threat is deemed strong enough. First-class mail is the preferred method, but telephone and email are also acceptable. The notification should describe the incident and what steps individuals can take to protect themselves.
More than a week after the breach was made public, eight recipients of the DSC, the military's second highest award for valor, told Army Times they had not heard from the Army and they had been unaware of the breach.
"I haven't received a phone call, and I think 31 phone calls could be accomplished inside of a week. That would be kind of an expectation," said retired Master Sgt. Don Hollenbaugh, who was awarded the DSC for his actions as a Delta Force team leader during a 2004 firefight in Fallujah, Iraq.
Hollenbaugh, now head of a private tactical instruction firm in Meridian, Idaho, said his personal information was once taken by hackers in a private-sector data breach. His employer notified him promptly and offered to pay for identity theft protection, he said.
Retired Capt. Walter B. Jackson said he was "disappointed" not to have received a call from either the Army or Brightline about the matter. Jackson was awarded the DSC for treating a wounded soldier and initially refusing treatment for his own gunshot wounds in Al Anbar province, Iraq, in 2006. He retired last year.
"It's disappointing and scary to think that information could get out there so easily," Jackson said. "I've heard of government laptops being compromised, but what's one to do when the information's out there [online]?"
Retired Sgt. Felipe Pereira said he already subscribes to the identity theft protection service Lifelock, but he is nonetheless considering calling the FBI. Pereira received the DSC earlier this year for taking wounded soldiers out of a firefight in Senjaray, Afghanistan, in spite of his own wounds.
"I'm sure the Privacy Act was violated, and whoever has jurisdiction should see if criminal charges need to be filed," Pereira, of Nashville, Tenn., told Army Times.
Sgt. 1st Class Jarion Halbisengibbs, a 10th Special Forces Group acquisitions official, was willing to give the Army and Brightline the benefit of the doubt, but he said the Army should do more to protect those affected.
"Knowing there was a breach like that, it wouldn't be a bad idea for them to foot the bill for Lifelock," said Halbisengibbs, awarded the DSC for his actions during an assault on an insurgent stronghold in Samarra, Iraq, in 2007. "For piece of mind for them and us, that would be a good call."