The most common personal information breach occurs when airmen send personnel rosters from .mil accounts to .com email addresses, Air Force officials say. (Airman 1st Class Stephanie Rubi/Air Force)
- Filed Under
More than two months after the Air Force launched a crackdown on breaches of personally identifiable information on its main computer network, the number and severity of such breaches has fallen.
But Gen. William Shelton, commander of Air Force Space Command, said significant information breaches are still occurring on the Air Force Network, or AFNET — a single breach in November exposed the personal information of more than 5,000 people — and they must be stopped.
“We’ve all got to work harder to eliminate PII violations,” Shelton said. “PII that is not properly protected becomes vulnerable to interception by an adversary. That creates the risk of the information being used to target individual users to gain their credentials and potentially gain access to our network. From an individual perspective, it can also lead to identity theft.”
Between May and October, the Air Force said it averaged roughly 3.3 reports of personal information breaches affecting 1,935 people per day. On Oct. 24, the Air Force began locking out any AFNET users — airmen, civilian employees or contractors — who were caught inappropriately storing or transmitting personal information. Since then, average breaches have fallen to 2.7 reports affecting 991 people per day.
PII can include information such as someone’s name, address, Social Security number, medical records, financial records, or any other data that can be used directly or with other data to identify, contact or locate a person. A breach is defined as a loss of control, compromise, unauthorized disclosure, unauthorized acquisition, unauthorized access, or any other situation where someone other than an authorized user, and for other than an authorized purpose, has access or potential access to PII, in either physical or electronic form.
Breaches can range from one person sending a performance report containing a Social Security number to another military account without encryption, to the sending of a personnel roster with thousands of pieces of PII to a personal email account outside of AFNET.
Col. Douglas Coppinger, vice commander of the 67th Cyberspace Wing, which is in charge of detecting PII breaches, said the most common violations are users sending personnel rosters from .mil to .com email addresses, and vice versa.
“While quite often these breaches are not of malicious intent, we need to better educate our airmen on the protection of this type of information,” Coppinger said.
Once an AFNET user has compromised PII and is locked out of the network, his wing commander is notified. His account will only be unlocked once the first O-6 in his chain of command certifies he has undergone remedial training and other necessary actions.
Christine Millette, spokeswoman for the 24th Air Force, said about 160 network users have been temporarily locked out for information breaches since the new policy went into place. Users’ accounts are usually unlocked in 11 days on average.