Medal of Honor recipients Staff Sgt. Salvatore A. Giunta, left, and Sgt. First Class Leroy Petry had their Social Security numbers compromised. (Composite file photos by Tom Brown and Chris Madda)
- Filed Under
The Army is investigating how a defense contractor's data breach left vulnerable the Social Security numbers of Army's most highly decorated soldiers, when a comprehensive awards database was posted online.
The exposed database contains the 31 Social Security numbers for six Medal of Honor recipients — including former Staff Sgt. Sal Giunta, Sgt. 1st Class Leroy Petry and four posthumous recipients — and 25 Distinguished Service Cross recipients.
"That super sucks," Giunta told Army Times when contacted about the breach Sept. 28. "Just the people it encompasses and who's included, it's like an attack on America. But people make mistakes. I wish it wouldn't have happened."
The database, which contains 518 records of award recipients since 2001, appeared to have been posted online by an employee of Brightline Interactive, a creative services firm in Alexandria, Va.
The database also included records of Silver Star recipients, including their names, ranks, unit information, and the date, place and a description of their action. But the Social Security numbers for the 487 Silver Star recipients were not included on the website.
The breach raises serious questions about how service members' personal information is protected, said Joe Kasper, deputy chief of staff for Rep. Duncan Hunter, R-Calif., a member of the House Committee on Armed Services.
"It's a concern that their identifying information is compromised," Kasper said. "We shouldn't allow a mistake of this significance to happen."
Ironically, the careless handling of information comes as the Army has rebuffed requests to share nonsensitive information about award recipients and their actions, even with members of Congress.
"I can't overstate the resistance we've had trying to get a comprehensive record that appears to have been available all along," Kasper said. "We think that there are more people who are deserving of the Medal of Honor, but trying to work with the Army's awards branch to learn who these individuals are, we're told this information isn't available."
Army Times waited to break the news of the breach until after it was corrected Sept. 28. Army Times notified Army officials of the breach, and the Army notified the contractor. Within hours, the file that contained the sensitive information was removed, said Col. Jonathan Withington, an Army spokesman at the Pentagon.
"We take these matters very seriously, and we took immediate action," Withington said.
The Army's Chief of Public Affairs office has provided Brightline on an annual basis with the names, pictures and award citations for all recipients of the Silver Star, Distinguished Service Cross and Medal of Honor since Sept. 11, 2001. The public affairs office obtained the information from Human Resources Command.
The firm for several years built OCPA's "Gallery of Heroes" kiosk at the Association of the United States Army biannual conventions. However, as the Army scales back its presence at shows this year, the kiosk will not be present at the October convention, Withington said.
A Web developer who lists his employer as Brightline on the networking site LinkedIn appeared to have posted or had access to the database on a public server alongside more than a dozen more innocuous files apparently related to his work. It was unclear why the information was there.
Erik Muendel, CEO of Brightline, told Army Times he was previously unaware of the breach and did not know how the file wound up online, but he said he was investigating what was posted and how it got there.
He said his firm is only meant to receive unclassified information, and he was surprised the firm was provided with sensitive information.
"I'm assuming that that file was a derivative of information that was provided to us, but I do not know," Muendel said Sept. 28.
The database was discovered by Doug Sterner, the curator of Military Times' online database of valor and award citations, "Hall of Valor." Sterner said separate searches for award recipients repeatedly led him to the Brightline database, and he downloaded it to investigate further.
Sterner said the database appears to contain records of every recipient of those awards for actions since the start of the war in Afghanistan. He called it "the most complete, correct database of its kind," and more accurate than the Defense Department's public database at http://valor.defense.gov.
Sterner said while the leak of personal information was unfortunate, the database represents a watershed for his mission, to publicize information about award recipients to honor them and for posterity.
"I felt like I just found buried gold on the Philippine Islands," Sterner said of finding the database. "This was one of the single biggest award finds in my 15 years of researching awards. I was so thrilled to find this." Ë