A Breach of Security

Welcome to the 21st century, where anything imaginable is available at the click of a mouse. For thieves with a degree of technical savvy, that online cornucopia includes components of people's identities, such as Social Security numbers, birthdates, addresses and full legal names.

For these malicious hackers, the goal is to break into a computer system, obtain others' vital information and open fraudulent credit card or checking accounts. With databases chock-full of valuable personal records, breaking into a system is akin to robbing a bank -- except thieves can perform their deeds from anywhere in the world.

"Identity theft is the crime of the Information Age," said Linda Foley, co-executive director of the Identity Theft Resource Center, a national nonprofit dedicated to fighting identity theft. The center provides consumer and victim support, and advises governmental agencies, legislators and companies on identity theft.


San Diego Targeted
Two servers at the San Diego County Employees Retirement Association (SDCERA) were among the latest targets, getting breached by malicious hackers in July 2005. More than 32,000 current and former San Diego County employees have been made vulnerable to identity theft, and the closely guarded addresses of 5,000 law enforcement personnel may have been exposed.

How did this happen, and what's being done to prevent future break-ins? Is government more at risk than private industry?

Answering the first question is tough.

"The story is not being discussed due to an active investigation," said Foley, adding that she offered her agency's services to SDCERA but was denied. "This is standard operating procedure. When you are on the trail of a thief, you don't go public."

She said the San Diego Computer and Technology Crime High-Tech Response Team (CATCH) is leading the investigation, but keeping information to itself.

When the break-in was discovered, the agency issued letters to former and current county employees advising them to contact credit agencies and put a fraud alert on their credit reports. The agency's actions complied with a California state law enacted in 2003 that requires companies or agencies to notify people whose private information may have been accessed by hackers.

The San Diego County Board of Supervisors has voiced concern, but since the SDCERA's computers are independent of the county system, the board is not actively involved in the investigation.

"SDCERA serves county employees, but they are not part of our IT contract," said Mike Workman, San Diego County spokesman. "I was not briefed since the outage was not ours. I don't have details other than what was reported."

Some of those details include determining how much personal information -- if any -- the hackers obtained. Since the SDCERA is not talking, that question has not been answered. Foley said too many factors are involved to know right away if the information was viewed or copied.


Control the Information
The break-in remains a whodunit for now, but that doesn't mean the SDCERA will fall prey to hackers again.

"It's not an uncontrollable disease," Foley said. "It's a situation that can be restricted and limited if certain things were to change -- including better information control."

Information control is what guided the San Bernardino County Employees' Retirement Association when it set up protection levels for its database.

Mark Jolicoeur, the association's chief of Information Services, said he uses an array of protective measures to protect against breaches, including firewalls and wide area network and local area network (LAN) security policies and configuration. He also insists that user names and passwords are used at local machines.

"Intrusion detection software is most common and is what we use," Jolicoeur said. "It consists of reports and logs used to monitor hits and pings."