CAMP FOSTER, Okinawa -- The Marine Corps has changed the way it handles personal information after a servicemember lost a disk containing the data of 164,000 people who registered a vehicle for Okinawa base access between January 2007 and September 2017.
On Sept. 22, an airman with Okinawa's Joint Service Vehicle Registration Office at Camp Foster handed the disk to an Air Force security officer from Kadena Air Base. That security officer was tasked with bringing the disk -- which was not password protected or encrypted -- to Kadena security forces' headquarters, where the data were to be uploaded into the Air Force system.
The disk was never seen again.
It contained names, Social Security numbers, driver's license information, ID numbers, physical descriptions of personnel, vehicle identification numbers and plate numbers, service branch and duty information for servicemembers, dependents, civilian federal employees, contractors and local national master labor contractors.
While the Marine Corps said there are no signs the disk was sold, stolen or found by someone with nefarious intentions, the affected individuals -- including some who have long since retired from government service -- have been asked to safeguard their identity and credit.
Numerous changes to the way personal data is stored and distributed by the U.S. military on Okinawa have been made; however, a report on the incident provided to Stars and Stripes by the Marine Corps suggests it was preventable, and that unsafe practices have knowingly been used for years.
The data were haphazardly handled on removable media devices by members of the military, and there were no standard operating procedures for passing the data between services. Servicemembers didn't know how to password-protect disks containing sensitive data.
While the Marine Corps system that contained the data was encrypted, there was no centralized system accessible by all service branches, making the rudimentary passing of disks between servicemembers necessary.
The Marine Corps acknowledged as far back as 2010 that the system needed to be modernized and all service branches given access to its database, but none of the branches or commands servicing Okinawa did anything beyond a few preliminary meetings.
Protecting personally identifiable information "is a continuous effort that requires all to maintain a heightened sense of vigilance," Marine Corps Installations Pacific spokesman 1st Lt. Edward Pingel wrote in a statement to Stars and Stripes. "The causes for recent losses ... vary, but we will continue to instill awareness and training to servicemembers to mitigate such losses from reoccurring." Pingel wrote that "the standard operating procedures that led to this loss were introduced by individuals no longer associated with the United States Marine Corps."
However, the report about the lost disk says no procedures existed.
"There are no Standard Operating Procedures written that direct the members of JSVRO how to pass law enforcement data between the separate services across Okinawa," the preliminary investigation report said.
The disk -- which contained information from the Marine Corps Installations Pacific's Joint Vehicle Registration and Licensing Database -- was created Sept. 21 by a registration office employee, according to the report.
Other service branches did not have access to the Marine system, so the disks were used monthly to update Air Force, Army and Navy law enforcement at bases around the island. Disks were passed to servicemembers from the other bases who would harvest the data and return the disks.
The Sept. 21 disk was handed off the next day, and was reported lost five days later.
"Immediately after the loss of the CD was discovered, the U.S. military began a comprehensive search and conducted an inquiry into our own processes for collecting, storing and transporting personal information," a Marine Corps statement said. "There is no evidence that the CD was stolen or that the information on the CD has been misused in any way."
Options not chosen
An investigation led by Marine Maj. Jason Crumbacher found that the breach should have never happened.
In 2010, Marine officials approached the registration office and base safety representatives about modernizing the database and held meetings with all service branches about getting access to the system.
From inception of the JVRL database, "the lowest levels of supervision recognized the need for and pursued a secure way to share sensitive data," Marine officials said in the report. "All available options were explored and were ultimately not employed for financial or logistical reasons, leaving transfer via CD the only option."
Marine officials also found that staff at the registration office had never heard of the government's safe access file exchange system, called the U.S. Army Aviation and Missile Readiness Development and Engineering Command Safe Access File Exchange. This system is widely recognized among journalists, civilian researchers and Defense Department employees as a method of sharing documents.
The disk was never found, the report states. Marine officials declined to provide an explanation from the airman who lost the disk, nor would they say whether anyone involved was punished for the incident. The investigation was closed Jan. 23, Marine officials said.
"As with any loss of data, it is critical for individuals whose data was lost to monitor their credit scores and take other steps to ensure their identity and protect their information from misuse," Pingel wrote in the Marine statement. "We urge all to remain vigilant of scammers asking for personally identifiable information. We are also taking steps to ensure this sort of incident does not happen in the future."
No more disks
The Marine Corps has implemented several changes to the way personal information is handled at the registration office on Okinawa. No more disks are being passed. Marine Corps Installations Pacific is working with the Marine Corps Cyberspace Operations Group to grant access for other services to the JVRL system, Marine spokesman Gunnery Sgt. Derek Carlson said in a statement to Stars and Stripes. Personal-information refresher training is being held.
The registration office is reviewing the database to purge any records that are no longer required for "operational use or required to be maintained due to records retention policies or statutes."
On Dec. 15, letters were sent to those affected by the breach, offering identity protection and credit-monitoring services.
Out of more than 164,000 people, only 361 signed up, said Barbara Hamby, a Marine Corps Systems Command spokesman.