New Zealand's Chris Ogle probably thought it was his lucky day when he scored a used MP3 player cheap. But his luck soured when it turned out to be broken -- and loaded with 60 pages of U.S. military data and personally identifying information.It could have been worse. It could have been a video iPod, filled with the complete run of Dr. Phil.
Ars Technica has the story (although they incorrectly identify the device as an iPod):
The files Ogle found on the [MP3 player] contain the names and personal details of U.S. soldiers, including some who served in Afghanistan and Iraq. There are no details on exactly how many personal records are contained within the documents (most of which date back to 2005), but they do also have information on mission briefings and equipment deployment.
This incident is probably not the worst breach of military data in recent memory. About a year ago, a U.K. military recruitment officer's notebook containing over 600,000 personally identifying, unencrypted records was stolen from his car. In 2007, the U.S. military began clamping down on "milbloggers" who may have inadvertently been giving away too much information to the enemy by posting about day-to-day base operations on increasingly popular public blogs.
"Mr. Ogle said the MP3 had never worked as a music player and he would hand it over to the U.S. Defence Department if asked," according to abc.net.au.
"While the discovery may prove embarrassing to U.S. officials, the outdated files seem to be of little consequence to national security. However, personal information like Social Security and phone numbers could have put individual soldiers at risk for identity theft and personal harm," notes PC World, which adds that U.S. investigators in Afghanistan in 2006 bought stolen flash drives with military information outside Bagram base, a major U.S. military outpost, and the Defense Department later banned use of USB storage devices.
The Obama administration has ambitious plans for using IT to streamline American government, and improve communication with citizens. However, more powerful IT leads to greater vulnerability, unless better security precautions are included in the package.
Enterprises can take a lesson from this. It's the same lesson they can learn from any data breach. Enterprises need to routinely encrypt data on storage devices, be sure to wipe devices prior to selling or giving them away, and control employees putting sensitive data on their personal devices.
And Chris Ogle, who shelled out good money for an MP3 player filled with useless, dangerous data, can take a lesson from this, too: Maybe he should have bought a Zune.
Update, 5:20 pm: Initially, we incorrectly identified the device as an iPod, but it turns out to be some other variety of MP3 player, according to New Zealand's TVNZ. The video shows the device -- it's clearly not an iPod, although I can't identify the brand and model.
Thanks to @daveom, who Twitters from Auckland, New Zealand, for pointing out the error.