RISKS-LIST: RISKS-FORUM Digest Wednesday 17 May 1989 Volume 8 : Issue 71 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator Contents: American Airlines' reservation system crash (Dave Curry) NCIC information leads to repeat false arrest suit (Rodney Hoffman) Hacking for a competitive edge (Rodney Hoffman) Privacy of SSA records (Marc Rotenberg) ---------------------------------------------------------------------- Date: Sat, 13 May 89 18:38:13 -0700 From: davy@riacs.edu Subject: American Airlines' reservation system crash Excerpts from "Travel agents in a holding pattern after airline ticket computer stalls", San Jose Mercury News, 5/13/89 (reprinted from N.Y. Times): "The nation's largest airline computer reservation system, American Airlines' Sabre, inadvertently shut down for almost 12 hours Friday, disrupting the operations of about 14,000 travel agencies nationwide. A large portion of American itself was left without information about who was booked on flights and whether seats were available, and the airline was forced to revert to writing tickets by hand to serve tens of thousands of travelers. American said, however, that there were no major disruptions of its 2,300 daily flights. The computer shutdown was one of the longest for what has been considered one of the airline industry's most reliable reservation systems. [....] John Hotard, manager of corporate communications for American, said the Sabre system, housed in an underground bunker-like building in Tulsa, OK, failed shortly after midnight Friday while workers at the computer center were installing additional disk drives as part of a system expansion. Service was not restored until noon Friday, he said. But some travel agencies said their terminals did not resume functioning until one or two hours after that. Apparently, no information about reservations and other travel plans was lost during the failure. [....] Hotard said the problem with the computer system was a failure in its software. He said the part of the American computer system that handles flight operations -- like crew scheduling, fuel loads and weight loads on American's fleet of airplanes -- was not affected, so flight operations were not disrupted. [The system has EIGHT IBM 3090-200 E mainframes, designed to survive ordinary hardware malfunctions. This appears to be a software upgrade screwup that downed the whole system. PGN] ------------------------------ Date: 14 May 89 17:36:59 PDT (Sunday) From: Rodney Hoffman Subject: NCIC information leads to repeat false arrest suit An article by James Rainey in the 'Los Angeles Times' 12-May-89 reports that Roberto Perales Hernandez has been jailed twice in the last three years as a suspect in a 1985 Chicago residential burglary. The authorities confused him with another Roberto Hernandez due to a single entry in the FBI's National Crime Information Center computer. The two Roberto Hernandezes are the same height, about the same weight, have brown hair, brown eyes, tattoos on their left arms, share the same birthday, and report Social Security numbers which differ by only one digit! The falsely imprisoned man has filed suit charging the Hawthorne (CA) Police Dept., Los Angeles County, and the state with false imprisonment, infliction of emotional distress, and civil rights violations stemming from the most recent arrest last year. He had previously received a $7,000 settlement from the county for holding him 12 days in 1986 before realizing he was the wrong man. In the latest incident, he was held for seven days then freed with no explanation. ------------------------------ Date: 14 May 89 17:39:06 PDT (Sunday) From: Rodney Hoffman Subject: Hacking for a competitive edge From the 'Los Angeles Times' 12-May-89: Two former Tampa, FL TV news managers have been charged with illegally tapping into phone lines and computers at another station to gain a news edge over their competitors. Former new director Terry Cole and assistant news director Michael Shapiro at WTSP-TV have been charged with 17 counts of computer hacking and conspiracy in the theft of information from WTVT-TV through computer phone lines, authorities said. Their arraignment is set for May 19. If convicted, each could face a maximum prison sentence of 85 years. The two were fired from WTSP when the station learned of the alleged thefts. The break-ins began in November but were not noticed until Jan. 12, when WTVT's morning news producer noticed that files were missing, authorities said. Computer experts determined that an intruder had rifled the files. Authorities said Spapiro knew WTVT's security system thoroughly because he had helped set it up while working there as an assignment manager befroe being hired away from WTVT in October. I have no idea what sort of charge "17 counts of computer hacking and conspiracy in the theft of information" really is. ------------------------------ Date: Sat, 13 May 89 11:11:49 -0700 From: mrotenberg@cdp.uucp Subject: Privacy of SSA records (update on RISKS-8.70) Two clarifications regarding the item in RISKS-8.70 on the record exchange involving the Social Security Administration and TRW: - The proposed transfer of the social security records to TRW came to an end after the plan was disclosed at an April hearing of the Senate Committee on Aging. - The primary concern expressed by members of Congress was the privacy violation, not the cost to SSA. Senator Pryor said that he was glad the SSA had "seen fit to preserve the confidentiality of the Social Security files. Unfortunately," he said, "this action comes to late to protect some 150,000 people whose files were violated in a test run conducted for TRW [in 1987] and for more than 3 million people on whom verifications were conducted for Citibank and other firms in past years." The HHS Inspector General also described these activities as "the largest breach of privacy in the history of the program." As a matter of privacy law, the plan violated a general provision in the 1974 Privacy Act which states that no agency should disclose any record unless it obtains the consent of the record subject or a particular exemption applies. (None applied in this case). Some attorneys within SSA were not convinced that the language in the Privacy Act was dispositive, but a decision of the Supreme Court a month before the Senate hearing affirming the privacy of computerized criminal records stored by the federal government tipped the balance in favor of stopping the program. - Marc Rotenberg ------------------------------ End of RISKS-FORUM Digest 8.71 ************************ -------