FAA Social Security Numbers Stolen

[James48843]

Union: Hackers broke into FAA computers

By JOAN LOWY – 1 hour ago


WASHINGTON (AP) — Hackers broke into the Federal Aviation Administration's computer system last week, accessing the names and Social Security numbers of 45,000 employees and retirees, a union leader says.

Tom Waters, president of American Federation of State, County and Municipal Employees Local 3290, said FAA officials briefed union leaders Monday about the security breech.

FAA spokeswoman Laura Brown confirmed that the agency's computers were hacked last week.
Waters said union leaders were told hackers gained access to two files. One file had the names and Social Security numbers of 45,000 employees and retirees on the FAA's rolls as of February 2006.

He said the other file contained medical information that was encrypted.

"These government systems should be the best in the world and apparently they are able to be compromised," said Waters, an FAA contracts attorney. "Our information technology systems people need to take a long hard look at themselves and their capabilities. This is malpractice in their world."

FAA officials told union leaders the incident was the first of its kind at the agency. But Waters said his union complained about three or four years ago about an incident in which employees received anti-union mail that used names and addresses that appeared to be generated from FAA computer files.

He said the union complained to the FAA and the Transportation Department's inspector general but no action was taken.

 

[fabijo]

oh great. Now I just wait and see what happens to my untainted name.

 

[Buster]

February 2009 Privacy Breach

Updated: 8:25 pm ET February 11, 2009
Background

• Administrator's Message - February 11, 2009
• Administrator's Message - February 9, 2009
• Press Release - February 9, 2009

Questions & Answers

1. What happened? On February 1, 2009, the Cyber Security Management Center monitoring our systems detected some unusual activity involving an administrative server. The monitors indicated that someone from outside of the FAA had gained unauthorized access to the server and extracted some data on the server.
   
2. What information was included in the affected administrative server? There were 48 breached files stored on the server. One of the files contained the names and social security numbers of more than 45,000 agency employees who were on FAA rolls as of the first week in February 2006. Another file contained information on 4,700 AVS employees. No mission sensitive, national security or procurement sensitive information was on the server.
   
3. What is FAA doing? The FAA investigative division is working very closely with our partners at the U.S. Department of Transportation Inspector General, FBI, and Cyber Security Management Center to collect and analyze forensic evidence and other data.
   The FAA is reviewing its policies and procedures to prevent future occurrences. We are committed to maintaining the privacy of employee information and take many precautions for the security of personal information. The FAA has zero tolerance for employees not following policies on data protection.
   
4. Why did the FAA wait to notify its employees of the breach? The FAA acted quickly and thoughtfully to first gather all the facts and take the steps necessary to validate the intrusion. While this was underway, the FAA began working with the Department of Homeland Security, FBI, NSA and other federal entities to take the steps necessary to investigate the potential breach and protect employees. Once the FAA had a fuller picture of the situation and mechanisms in place to inform their workforce and assist them with their needs, the agency notified its employees of the potential breach on February 9, 2009.
   
5. How do I know if information about me was stolen? At this point, we’re not certain that any employee’s personal information will be misused; however, we are erring on the side of caution in case the data was taken with the idea of stealing employees’ identities. For that reason, we sent out a broadcast message on February 9. All current and former employees who are affected will receive a letter shortly alerting them to this event. We are also setting up a website and a toll-free number to answer employee questions related to the event.
   
6. What information was not affected by the breach? The breach has been investigated, and there is no evidence of compromise of any other systems, including Employee Express, Thrift Savings Plan, time and attendance, retirement contributions, or bank routing information.
   
7. Are FAA contractors from this period affected? No contractor information was contained on these files.
   
8. What is the FAA doing to assist employees whose personal identity information might have been viewed by unauthorized persons? The FAA will provide free credit monitoring services to all FAA employees and affected separated employees for a period of 12 months. The notification letter will include information on credit monitoring and outline enrollment procedures, and this information will also be posted on the website.
   
9. How is the free credit monitoring service going to work? The FAA will provide free credit monitoring to employees and former employees affected by the security incident for one year if they sign up through the contract offered by GSA to which FAA has subscribed. Full information on how to enroll will be in the letter and will include your unique subscriber number. If you sign up for coverage independently, the cost will not be covered.
   
10. Will I still receive credit monitoring even if I leave the FAA? Yes, the credit monitoring services will cover you for a year from the sign-up date regardless of who your employer is during the year.
    
11. What will the credit monitoring service provide? The credit monitoring service will provide the following to any employee or former employee affected by the breach:
    1. Automatic daily monitoring of credit reports from all three national credit reporting companies: Experian, Equifax and TransUnion
    2. Email or US mail monitoring alerts to inform the affected individuals of key changes to their credit reports, including new inquiries, newly opened accounts, delinquencies, address changes and public record items
    3. Monthly “no hit” alerts, if there has been no important changes to the individual’s credit report
    4. Unlimited online and offline access to the individual’s Credit Report and Score for the duration of the membership
    5. Score Simulator – helps individuals understand how factors on their credit report impact their credit score
    6. Consumer-friendly credit report with detailed explanations and descriptions
    7. Monthly Score Trending of the individual’s score
    8. Informative credit related articles
    9. One free three-bureau Credit Report and score upon enrollment
    10. Toll-free Customer Service
    11. Toll-free access to fraud resolution representatives and support should the Individual become a victim of Identity Theft after s/he enrolls in Triple Advantage
    12. Assistance from fraud resolution representatives who will walk the Individual step-by-step through the process of resolving problems associated with credit fraud or Identity Theft and: (i) assist with understanding credit reports and alerts (ii) assist in contacting law enforcement officials, (iii) receive and make calls with the Individual, and (iv) contact financial institutions and creditors as required. All assistance is provided as appropriate on a case by case basis
    13. $25,000 identity theft insurance coverage provided by a designated third party. (Due to New York State law, insurance coverage cannot be offered to New York State residents; all other coverage listed above still applies)
12. Are there other FAA services available?
    
    Yes. The FAA’s WorkLife Program has several resources. First, employees have access to the Identity Theft Assistance Program, a confidential and easily accessible service. This service is available through our WorkLife partner, Magellan. Specifically, this service:
    • provides members with unlimited telephonic consultations with a highly trained Fraud Resolution Specialist™ (FRS), based on client needs and concerns.
    • assists members with restoring their identity and good credit.
    • provides members with a free “ID Theft Emergency Response Kit™”
    • assists with the costly steps to dispute fraudulent debts, as a result of ID theft; and
    • counsels and provides a document stating the “Preventative Steps” necessary to take in an effort to avoid future ID theft losses and damages to an employee's credit score and reputation.
    You may call this program now to request information or wait to see if it is needed.
    The WorkLife Program also includes FAA’s comprehensive Employee Assistance Program (EAP). The EAP is a helpful resource during stressful situations and is available 24 hours, 7 days a week at (800) 234-1327. Employees can read more about this resource online.
    We are attempting to obtain these same services for the impacted former FAA employees.
    
13. Explain how this toll free number works. Employees may contact Magellan directly at (800) 234-1327. Magellan is aware of the privacy breach and can put you directly in contact with a professional once you indicate you are looking for assistance with identify theft.
    You will receive unlimited telephonic consultation with a trained and experienced Fraud Resolution Specialist™ (FRS) who will listen to your issues, answer your questions, and assist you with restoring your identity and good credit. Typically resources are provided over the phone and then followed with materials and resources sent via email and / or traditional mail, at the employee’s preference. More information about this program is available at www.MagellanHealth.com.
    In the event an employee’s information was compromised, Magellan can connect you to an attorney specializing in identity theft. You have access to a free initial consultation and reduced attorney fees if you retain the attorney.
    
14. How will former employees get this information? The FAA will reach out via individual letters to current and former employees with information about the privacy breach and what they can do. For those employees who are hearing about this situation for the first time, we encourage you to go to FAA employees’ web site to learn more.

 

[Buster]

1. What is identity theft? Identity theft occurs when your personal information is stolen and used without your knowledge to commit fraud or other crimes.
   
2. What should I do to protect myself? Do I have to close my bank account or cancel my credit cards? You do not have to close your bank account or cancel your credit cards. You should, however, take steps to protect yourself against identity theft. We are encouraging all employees to be vigilant and to carefully monitor bank statements, credit card statements, and any statements relating to recent financial transactions, and to immediately report any suspicious or unusual activity to local law enforcement officials and the Federal Trade Commission (see "Detect Identity Theft” and “Defend: Recover from Identify Theft” on the Identity Theft page at http://www.ftc.gov). Please let your supervisor know as well, as we will be monitoring closely any suspected cases of identity theft.
   One way to monitor your financial accounts is to review your credit report. You will be receiving a credit report as part of our contracted credit monitoring. In addition, by law, you are entitled to request a free credit file disclosure, commonly called a credit report, once every 12 months from each of the nationwide consumer credit reporting companies: Equifax, Experian and TransUnion. For more information, visit their web site at www.AnnualCreditReport.com or by calling 1(877) 322-8228.
   When you receive your credit reports, review them carefully for accounts you did not open or for inquiries from creditors that you did not initiate. Also, review your personal information for accuracy. If you see anything you do not understand, call the credit agency at the telephone number on the report or call the resources provided above.
   
3. What do you mean by "suspicious” or “unusual activity"? Suspicious or unusual activities could include the following:
   • Inquiries from companies you haven’t contacted or done business with
   • Purchases or charges on your accounts you didn’t make
   • New accounts you didn’t open or changes to existing accounts you didn’t make
   • Bills that don’t arrive as expected
   • Unexpected credit cards or account statements
   • Denials of credit for no apparent reason
   • Calls or letters about purchases you didn’t make
4. What is the earliest date at which suspicious or unusual activity on your account might occur? The attempted breach occurred over the weekend of February 1st, 2009. If any data was accessed and misused, it is likely that suspicious or unusual activity would be noticeable beginning in February 2009.
   
5. Has the FAA alerted financial institutions regarding this privacy breach? Due to the number of accounts and numbers of FAA employees, it is not possible for the Agency to contact them all. However employees may certainly contact their individual financial institutions.
   
6. I haven’t noticed any suspicious or unusual activity in my financial statements, but what can I do to protect myself and prevent being victimized by credit card fraud or identity theft? We strongly recommend that individuals closely monitor their financial statements and review the guidelines provided on the FAA’s web page.
   
7. How will a bank account be impacted if it is a joint account with another person? The actual identity theft protection is being provided to the FAA employee. However, that protection applies to all accounts of the FAA employee, whether accounts are joint or single.
   
8. What should I do if I detect a problem with any of my accounts? Step 1 - Contact the fraud department of one of the three major credit bureaus:
   • Equifax: 1-800-525-6285; www.equifax.com; P.O. Box 740241, Atlanta, GA 30374-0241.
   • Experian: 1-888-EXPERIAN (397-3742); www.experian.com; P.O. Box 9532, Allen, Texas 75013.
   • TransUnion: 1-800-680-7289; www.transunion.com; Fraud Victim Assistance Division, P.O. Box 6790, Fullerton, CA 92834-6790.
   Step 2 - Close any accounts that have been tampered with or opened fraudulently.
   
   Step 3 - File a police report with your local police or the police in the community where the identity theft took place.
   
   Step 4 - File a complaint with the Federal Trade Commission by using the FTC’s Identity Theft Hotline:
   
   • By telephone: 1-877-438-4338
   • Online at www.consumer.gov/idtheft
   • By mail at Identity Theft Clearinghouse, Federal Trade Commission, 600 Pennsylvania Avenue NW, Washington DC 20580.
9. What are my remedies if my identity is stolen and used illegally? The Federal Trade Commission has produced a booklet to help you remedy the effects of an identity theft. It describes what steps to take, your legal rights, how to handle specific problems you may encounter on the way to clearing your name, and what to watch for in the future. The contents of the booklet, Taking Charge: Fighting Back Against Identity Theft, are available online at http://www.ftc.gov/bcp/edu/pubs/consumer/idtheft/idt04.shtm.
   
10. Can Social Security put a flag on my number? No, unlike the credit bureaus, the Social Security Administration (SSA) cannot put a flag or security alert of any type on your Social Security number.
    To report that someone is using your Social Security number, file a complaint with the Federal Trade Commission by using the four steps outlined above:
    • Internet: www.consumer.gov/idtheft
    • Telephone: 1-877-1DTHEFT (1-877-438-4338)
11. Can I get a new Social Security number? SSA will not issue you a new Social Security number as a precaution. SSA assigns a new Social Security number in rare cases, and only if the number holder provides evidence that the old number has been used with criminal or harmful intent and that the misuse has caused the number holder to be subjected to recent economic or personal hardship.
    
12. How do I file a police report? Individuals who are victims of actual identity theft should file a local police report about the incident. The Federal Trade Commission advises consumers who are victims of identity theft to get a copy of the police report or at the very least, the number of the report. It can help you deal with creditors who need proof of the crime. You should also retain a copy of the FAA memo regarding the potential breach for your records. Information about steps to take if you are a victim of identity theft is available online at www.consumer.gov or by calling the Federal Trade Commission at 1-877-1DTHEFT (1-877-438-4338).
    
13. What if the local police won’t take a report? In order to file a police report, you must show you have suffered an actual identity theft or harm due to fraudulent activity or misuse of account information. If you have experienced identity theft or harm, the Federal Trade Commission (FTC) suggests providing as much documentation as you can to prove your case, including debt collection reports, credit reports, or other evidence of fraudulent activity. Information about steps to take if you are a victim of identity theft is available online at www.consumer.gov or by calling the Federal Trade Commission at 1-877-1DTHEFT (1-877-438-4338).
    The FTC also suggests being persistent if local authorities tell you that they can’t take a report. Stress the importance of a police report; many creditors require one to resolve your dispute.
    The FTC advises that if you’re told that identity theft is not a crime under your state law, ask to file a Miscellaneous Incident Report instead. If you can’t get the local police to take a report, try your county police. If that doesn’t work, try your state police. Some states require the police to take reports for identity theft. Check with the office of your State Attorney General to find out if your state has this law.
    

 

[Buster]

Dear Colleagues:
Shortly, each of you whose personal information may have been exposed by the recent privacy breach will be receiving a letter informing you that we are providing you a credit monitoring service to protect against possible misuse of your personal sensitive information. Membership in this service is optional, entirely free, and will not hurt your credit score.
As you know, last week, the Cyber Security Management Center monitoring our systems noticed unusual activity involving an administrative server. When we looked into the incident, we discovered there were 48 breached files stored on the server. We determined that one of the files contained the names and social security numbers of more than 45,000 agency employees who were on FAA rolls as of the first week in February 2006, including employees who have since retired. A second file contained more up to date information on a subset of Aviation Safety employees.
The theft protection service includes a complimentary one-year membership in Experian’s Triple AdvantageSM Premium credit monitoring product. The letter you receive will spell out the features of the protection plan. We encourage all affected employees to take advantage of it.
In the meantime, we are posting a set of Q&A on the employee site to help answer questions and concerns that employees may have. In addition, we have set up a toll-free hotline 1-800-234-1327 where employees can receive additional personal attention.

Lynne Osmus
Acting Administrator

 

[James48843]

...
In the meantime, we are posting a set of Q&A on the employee site to help answer questions and concerns that employees may have. In addition, we have set up a toll-free hotline 1-800-234-1327 where employees can receive additional personal attention.

Lynne Osmus
Acting Administrator

Not being one to believe that anyone from FAA HQ's would have checked that phone number before sending it out, I figured I ought to do the honors. See, I figure it is pretty hard for them to do much right these days.


So I called the phone number to see if I could get through, and to see if they had any additional information.

Turns out the phone number is for the FAA's contractor- Megellan Mental Health Services.

And the person answer the phone said they had no idea what I was talking about. I told them their number had been published as the place that our Administrator said could give us some "personal attention".

Well, there you go. MENTAL HEALTH COUNSELING is prescribed by Lynn, if you are stressed out because the FAA gave away your social security number to a turkish hacker, who broke in using a 3 year old flaw to an SQL server. Read more at http://www.faafollies.com

I can't make this stuff up.

Really, I can't.

(p.s.- do you now have to report on your medical exam, that you received MENTAL HEALTH COUNSELING for that phone call?)

 

[Buster]

It gets better....

Administrator's Update on Privacy Breach


February 26, 2009 – Folks,
Last week, I told you that employees impacted by the release of personal identity information recently would have received their letters offering credit protection by now. That was certainly what I intended.
However, there was a glitch with the contractor that is copying and mailing the letters. The glitch should have been discovered, but it was not. As a result, the mailing was delayed. It is on track again, and as of this note, 16,000 letters have been mailed.
The contractor is working throughout the night, and the balance of the letters will be mailed tomorrow. The letters will be as I described last week, and will be accompanied by questions and answers that offer additional information.
This mistake is unacceptable, and is not how I want this agency to respond to situations like this one. We owe our employees better. I offer you my sincere personal apologies.
Lynne

 

[James48843]

Glitch- and the contractor- (THE OUTSIDE ORGANIZATION THAT WE ARE PAYING MILLIONS TO, THAT WE GAVE YOUR PERSONAL IDENTITY INFORMATION- YOUR NAME AND HOME ADDRESSES TO, THAT WE CAN'T CONTROL BECAUSE WE DON'T CONTROL THEM) didn't perform.

Why am I not shocked any more?

 

[fabijo]

I got my letter and my free one year credit monitoring service! Oh great.

 

[Buster]

Got my letter and authorization code Saturday..I activated it and found no problems..My Credit Score is 810

 

[fabijo]

Got my letter and authorization code Saturday..I activated it and found no problems..My Credit Score is 810

Nice one! Congratulations! Mine's 746.

 

[Buster]

Nice one! Congratulations! Mine's 746.

The range for Excellent is like 720 to 830...You are doing well also

 

[Buster]

I got my letter and my free one year credit monitoring service! Oh great.

Actually it ain't a bad deal (especially in light of what has just happened to our SSNs)

We Get for free:

* Monitoring of your credit reports every day.

* Email alerts when something changes drastic to your account.

* A free three credit Bureau report and score from (Experian, Equifax, and TransUnion)

* Assistance from their fraud resolution team..I can personally attest that will help you clean up your account if it's boogered up..They fixed mine last year in 24 hours and while I was on the phone with them)

* $25,000 identity theft insurance..it ain't a million bucks like Life-Lock, but hey, it's free.

This whole FAA Screw up maybe a blessing in disguise for some people..by this I mean, it's forcing us to take a closer look at our credit reports..Last year I did mine (first time ever) and it had a bunch of bogus entries and bad payment history that wasn't me, my credit score then was 628..after some crossing checking and SSN verifacations, along with past address history working with their Credit Bureau assistance team, they performed an investigation and in 24 hours..mine was cleaned up.

 

[Hallatauer]

I received my letter on Saturday... signed up for the service which I would have never paid for before. So far it's clean and my credit score is 743. hmmm... I wonder why it isn't higher with my perfect records. :/

 

[Buster]

I received my letter on Saturday... signed up for the service which I would have never paid for before. So far it's clean and my credit score is 743. hmmm... I wonder why it isn't higher with my perfect records. :/

Age and credit activity has a lot to do with it..The scoring is very Subjective IMO

 

[fabijo]

I received my letter on Saturday... signed up for the service which I would have never paid for before. So far it's clean and my credit score is 743. hmmm... I wonder why it isn't higher with my perfect records. :/

On the bottom part of your report, it should tell you what parts of your report put negative pressure on your score and what gives positive pressure on your score.

On mine, it said a couple things that surprised me. One thing that gave some negative bias were credit inquiries. The more inquiries you have (except the ones you do yourself), suggests that you may be trying to extend yourself a little.

The other thing that really surprised me was that positive bias was given because I hold a couple major credit cards with high limits! I thought that would have given negative pressure on the score, but I was wrong.

 

[Buster]

Today in my work Email..I received a letter from David M. Bowen's office (AIO-1) for the FAA administrator, informing me that I can enroll in a FREE ID theft protection agency (contractor) for a year..The Agency is called; IDENTITY FORCE.. they claim to fix any identity theft issues and provides up to $30,000 worth of reimbursement for expenses incurred due to identity theft....So I'm all signed up..Imagine that..I'm covered for a year, even after I retire in 77 days

***********************************************************************
ID Theft Protection - ENROLL NOW!


Welcome to the Identity Theft Protection Services enrollment web site powered by Identity Force. When you enroll online you will have instant access these benefits including:

Identity Monitoring
We continuously monitor the internet and send you a "Red Alert" if we discover your personal identifiable information may have been compromised.
Identity Theft Insurance $30,000
$30,000 Identity Theft Insurance that pays you directly for certain out of pocket expenses and lost wages related to identity theft
Free Annual Credit Report
The simple form enables you to request an annual copy of your Free Credit Reports from Experian, Equifax and TranUnion.
Identity Restoration Advisor
Talk with a real person who will complete paperwork, notify creditors and make calls to clear your good name - avoid the time consuming and frustrating process of restoring your identity.