Pilot Information Compromised

[Move2CLT]

What information? Names? emails?

or something more serious, like ssns, ffdo status?

Do try to not confuse yourself, again.

How much have you heard about this. Nothing? Because your SSN along with your home address was on there.

They're covering. If there was nothing significant on that laptop, USAPA would have told you long ago.

They lost some important stuff.

 

[SparrowHawk]

How much have you heard about this. Nothing? Because your SSN along with your home address was on there.

They're covering. If there was nothing significant on that laptop, USAPA would have told you long ago.

They lost some important stuff.

LOST? Or something more nefarious? Silence indicates many things, most of which are not good.

 

[Move2CLT]

What information? Names? emails?

or something more serious, like ssns, ffdo status?

Do try to not confuse yourself, again.

Yo sealbeater,

Why hasn't USAPA come out and told its membership that there was NO important information on that lost laptop.

You'd think they'd at least have the courtesy to alleviate any worries a union member might have about his/her info being lost.

I wonder why they've been so quiet on this.

Maybe they're worried about spoliation?

 

[luvthe9]

I don't know what was on there. However if it was a USAPA owned device then nothing personal should have been on there. Especially anything that was remotely confidential. Also in most corporation there are strict security protocols AND audits so Aunt Millie's recipe for MN Hot Dish could get you fired.

Sorry but I;m a stickler for security and what I'm reading here is there wasn't any. There mere fact is was stolen suggests that this person should not be issued a replacement. Especially if he/she is an officer standing for election. You have a situation here where the mere appearance of impropriety is almost more damaging then any real wrong doing.

Why wouldn't there be any personal pilot data on a USAPA laptop? Does the treasurer not have access to the addresses and some information related to billing addresses etc? This is entirely reasonable, and there is a HUGE difference between Leonidas accessing pilot information that was knowingly given from a company representative and one that was STOLEN. IE a CRIME was committed when the laptop was stolen, versus a WILLING transfer in the Leonidas case. USAPA has a trove of payroll data and personal addresses that are legally obtained. You kids can't figure out the difference between someone with access to COMPANY data giving it to a third party. If you are that dense, nobody can help you here.

 

[BoeingBoy]

You kids can't figure out the difference between someone with access to COMPANY data giving it to a third party. If you are that dense, nobody can help you here.

Yet some on the east still refer to it as AOL's theft of information. Your east kids are slow learners...

Jim

ps - Do you actually believe that Mowrey's laptop - the one probably used in the attempted faking of a certain law firm's emails - was stolen? The kids are running the school...

ps2 - In light of your post don't you find it ironic that those who charge AOL with theft when that wasn't the case are apparently unconcerned about the reported actual theft of their personal information from USAPA? Where are the demands for an investigation, law enforcement action, criminal charges, etc.

 

[SparrowHawk]

Why wouldn't there be any personal pilot data on a USAPA laptop? Does the treasurer not have access to the addresses and some information related to billing addresses etc?

Ignoring the insults, I'll address your question(s).

The question isn't "Why wouldn't there be any personal pilot data on a USAPA laptop?" The more appropriate question is, How was it secured? In this case the answer appears to be "it wasn't" or "we don't know". Neither of which are acceptable in the world of information security. At a minimum said laptop should have been password protected at log on. The files containing ANYTHING remotely sensitive should have also be password protected separately AND encrypted. Encrypted files means you're talking NSA/CIA/FBI talent to read the files. With me so far Sparky? If you want to really anal then you do all of the above but only store the information on a removable media such as an external hard drive that is then locked in a safe when done. Do all of the above and the laptop is stolen?? No compromised data, no harm, no foul, no room for an appearance of shenanigans.

Does the treasurer not have access to the addresses and some information related to billing addresses etc? Again, wrong question. It should be and this is with any USAPA official. "Why does this person need access?" Proper security protocols must be determined and maintained. For example does a Treasurer need to have more than Name, Employee number and mailing address? or do we let him/her have access to all info?

It all depends on how secure you want your data to be. Judging from what I read here, data security wasn't much of an issue at USAPA.

 

[BoeingBoy]

Seriously, I doubt that the laptop in question was stolen. Supposedly, review of the security camera footage revealed nothing out of the ordinary. I do suspect that it was used to spoof the emails purporting to be from one employee of the Seham firm to another, and was purposely "misplaced" to hide the evidence. If it was discarded it is a lot bigger issue than AOL inadvertently having access to password protected partial SS#'s for the pilots since anyone who found it would also have access to the information it contained. Anyone dumb enough to claim that it was stolen from an office with security camera coverage isn't smart enough to wipe the drive or otherwise protect sensitive information contained on the "misplaced" computer. Yet no one on the east side seems concerned. Apparently it's ok to have your sensitive info handled recklessly by someone as long as they're in the DOH camp, but having fellow pilots have your address is a capital crime if they support the Nic. That is the real crime...

Jim

 

[Iclubbabyseals]

If it was discarded it is a lot bigger issue than AOL inadvertently having access to password protected partial SS#'s for the pilots

Sorry, Jim. It was not "inadvertent". and the SS#s were not password protected, at least on the list that was sent by PHX.

 

[BoeingBoy]

Sorry, Jim. It was not "inadvertent". and the SS#s were not password protected, at least on the list that was sent by PHX.

The company said you're wrong. Who to believe - clubby who makes it up as he goes or the company who would have no reason to lie....

Jim

 

[Move2CLT]

Sorry, Jim. It was not "inadvertent". and the SS#s were not password protected, at least on the list that was sent by PHX.

Bzzzt! WRONG!!!

They were in a hidden column and the company self-disclosed that SSN's were embedded in the file. The company then had to show USAPA how to access said column.

And you should be more worried about your VP's "lost" computer. That info was not PW'ed at all.

Wonder why that doesn't worry you and the fact that USAPA put nothing out to dispel that fear.

 

[SparrowHawk]

Bzzzt! WRONG!!!

They were in a hidden column and the company self-disclosed that SSN's were embedded in the file. The company then had to show USAPA how to access said column.

And you should be more worried about your VP's "lost" computer. That info was not PW'ed at all.

Wonder why that doesn't worry you and the fact that USAPA put nothing out to dispel that fear.

Here is something you might find interesting:

Hackers Having A Field Day With Data Breaches
by Ron Arden on February 24th, 2012


Hackers Having A Field Day With Data BreachesIn the last few weeks, hackers have been taking advantage of lazy security practices on websites. In two incidents involving the adult entertainment industry, almost 2 million customers have had usernames, passwords, email addresses, dates of birth and other personal information exposed.

On February 11, 2012, Luxembourg based Manwin Holding SARL had a data breach that compromised 350,000 user records, including usernames, encrypted passwords and email addresses. A hacker who said he is affiliated with the group Anonymous accessed an inactive forum to help enter some linked websites. And when he got there, he found a bonanza of data. A small sample was posted to the Internet and I’m sure hackers are having a field day as they sift through the information. Based on what was leaked, it was possible to determine some users’ full names and country of residence. Hello fraud and phishing!

More

 

[BoeingBoy]

You are correct - password protecting parts or even all of a file is no more defense against hacking than the lock on your door is a defense against thieves. Both protect against temptation in the basically honest. However, no one has accused AOL of hacking the data to get access. It's all been accusations of theft and criminal acts because of merely having the file containing password protected info.

Odd, then, that those who have been so vocal about criminal acts because AOL had the file apparently aren't concerned at all that the same data is supposedly in the hands of a real thief and may be used/sold for any purpose whatsoever. Quite the contrary, one even said that obviously private information was on the supposedly stolen laptop but so what?

Jim

 

[SparrowHawk]

You are correct - password protecting parts or even all of a file is no more defense against hacking than the lock on your door is a defense against thieves. Both protect against temptation in the basically honest. However, no one has accused AOL of hacking the data to get access. It's all been accusations of theft and criminal acts because of merely having the file containing password protected info.

Odd, then, that those who have been so vocal about criminal acts because AOL had the file apparently aren't concerned at all that the same data is supposedly in the hands of a real thief and may be used/sold for any purpose whatsoever. Quite the contrary, one even said that obviously private information was on the supposedly stolen laptop but so what?

Jim

Just as an FYI, the blog I posted is from one of the Industry Leaders in Enterprise Digital Rights Management - Persistent file security. To give an idea of the power of this type of Software, I asked Bill this, "If the Government had your Software installed how would that have effected the whole Wikileaks scandal"? He replied simply, "It never would have happened"

Security is no laughing matter although I'm beginning to see that USAPA is a rather cruel joke. Considering this security software prices out at about 5 to 7 billable hours of Lee Seham's time for a small organization like USAPA. I think USAPA could have squeezed it in the budget someplace.

 

[BoeingBoy]

Security starts with whoever has the information - the company. From their explanation, giving AOL privileged information was inadvertent - I'd be surprised if the assistant chief pilot knew it was in the file. But no one should be given privileged information on employees unless they have a pressing need for it. Names and addresses don't bother me since it's not privileged information - companies buy, sell, and exchange mailing lists all the time which is why everyone with a mailing address gets junk mail. SS#'s, passport #'s, etc is a different matter. That shouldn't be in files that people who don't need it have access to, encoded or not, password protected or not.

Of course, the same goes for any union - does the union need access to every bit of information that the company has on every member of that union? Does everyone in the union office need access to every bit of information the union has on each member? It's like the saying says - if you want to keep something secret don't tell anyone the secret.

Jim

 

[SparrowHawk]

Security starts with whoever has the information - the company. From their explanation, giving AOL privileged information was inadvertent - I'd be surprised if the assistant chief pilot knew it was in the file. But no one should be given privileged information on employees unless they have a pressing need for it. Names and addresses don't bother me since it's not privileged information - companies buy, sell, and exchange mailing lists all the time which is why everyone with a mailing address gets junk mail. SS#'s, passport #'s, etc is a different matter. That shouldn't be in files that people who don't need it have access to, encoded or not, password protected or not.

Of course, the same goes for any union - does the union need access to every bit of information that the company has on every member of that union? Does everyone in the union office need access to every bit of information the union has on each member? It's like the saying says - if you want to keep something secret don't tell anyone the secret.

Jim

What you speak of is what "Digital Rights Management" is! Deciding who gets access to what and who they can distribute it to. Like SSN's to a Union or private individual for example. The software is so advanced that I could set it up in such a way that HR could only e-mail certain files to a predetermined list. it's also advanced enough that I can retrieve an e-mail sent in error. Stuff is way cool.

Security for many small organizations is an afterthought. Right up until there's a breech problem.