Once again the U.S. government has failed to protect sensitive personal information, this time highly sensitive information on 4,000 Air Force officers. This information, contained in extensive 127-page individual security questionnaires known as SF-86 were found on a backup hard drive that was neither password protected or encrypted. In addition, extensive information on high-profile visitors to sites in Afghanistan was also on the same drive along with gigabytes of Outlook emails whose content has yet to be assessed.
This follows a number of other similar cases, the most notorious was the highly successful penetration of SF-86 files and other data held by the Office of Personnel Management (OPM) in June, 2015. In that case, 21.5 million American’s personal data was compromised, again involving the SF-86 security questionnaire. On top of that, 5.6 million fingerprints were also stolen. In applying for a security clearance, the government collects fingerprint data and photos.
Full disclosure: my personal data was also compromised in the OPM hack and I received an OPM letter and some worthless “free for a year” coverage of my personal data going forward.
Does the government have any responsibility to protect sensitive information?
Apparently, anyone who believes that the government has this responsibility is sadly misguided. Not only does the government not protect personal information, it hands it around to other agencies routinely and gives it to private contractors for “processing.”
Like your passport! You go to a passport office, fill out all the information, provide a birth certificate and all the requisite contact information, and you give the passport office photos, one of which will wind up embossed into your passport. Then the Passport Office sends all that (how, by mail?) to a private contractor to “process.” Who has access to it is anyone’s guess. The information is not classified and therefore is not formally protected in any manner.
The same holds true for your tax return, which you send in to the IRS. nowadays electronically. Maybe it is semi-encrypted when you electronically transmit the form, or your accountant does it for you, but when it arrives at the IRS it is stored as an ordinary file with no protection.
The SF-86 form is an especially pernicious example because it contains a vast amount of information, everything from every place you may have worked, who your friends and colleagues are, to your business involvements and who your family members and relatives may be. All of this provides hugely valuable information to potential adversaries who may be nation-states, but who also could be terrorist organizations.