The RISKS Digest
Volume 8 Issue 71

Wednesday, 17th May 1989

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…


o American Airlines' reservation system crash
Dave Curry
o NCIC information leads to repeat false arrest suit
Rodney Hoffman
o Hacking for a competitive edge
Rodney Hoffman
o Privacy of SSA records
Marc Rotenberg
o Info on RISKS (comp.risks)

American Airlines' reservation system crash <Dave Curry>
Sat, 13 May 89 18:38:13 -0700
Excerpts from "Travel agents in a holding pattern after airline ticket computer
stalls", San Jose Mercury News, 5/13/89 (reprinted from N.Y. Times):

  "The nation's largest airline computer reservation system, American
Airlines' Sabre, inadvertently shut down for almost 12 hours Friday,
disrupting the operations of about 14,000 travel agencies nationwide.  A
large portion of American itself was left without information about who was
booked on flights and whether seats were available, and the airline was
forced to revert to writing tickets by hand to serve tens of thousands of
travelers.  American said, however, that there were no major disruptions of
its 2,300 daily flights.
  The computer shutdown was one of the longest for what has been considered
one of the airline industry's most reliable reservation systems.  [....]
John Hotard, manager of corporate communications for American, said the
Sabre system, housed in an underground bunker-like building in Tulsa, OK,
failed shortly after midnight Friday while workers at the computer center
were installing additional disk drives as part of a system expansion.
  Service was not restored until noon Friday, he said.  But some travel
agencies said their terminals did not resume functioning until one or two
hours after that.  Apparently, no information about reservations and other
travel plans was lost during the failure.   [....]
  Hotard said the problem with the computer system was a failure in its
software.  He said the part of the American computer system that handles
flight operations — like crew scheduling, fuel loads and weight loads on
American's fleet of airplanes — was not affected, so flight operations were
not disrupted.

    [The system has EIGHT IBM 3090-200 E mainframes, designed to survive
    ordinary hardware malfunctions.  This appears to be a software 
    upgrade screwup that downed the whole system.  PGN]

NCIC information leads to repeat false arrest suit

Rodney Hoffman <>
14 May 89 17:36:59 PDT (Sunday)
An article by James Rainey in the 'Los Angeles Times' 12-May-89 reports
that Roberto Perales Hernandez has been jailed twice in the last three
years as a suspect in a 1985 Chicago residential burglary.  The authorities
confused him with another Roberto Hernandez due to a single entry in the
FBI's National Crime Information Center computer.

The two Roberto Hernandezes are the same height, about the same weight, have
brown hair, brown eyes, tattoos on their left arms, share the same birthday,
and report Social Security numbers which differ by only one digit!

The falsely imprisoned man has filed suit charging the Hawthorne (CA)
Police Dept., Los Angeles County, and the state with false imprisonment,
infliction of emotional distress, and civil rights violations stemming from
the most recent arrest last year.  He had previously received a $7,000
settlement from the county for holding him 12 days in 1986 before realizing
he was the wrong man.  In the latest incident, he was held for seven days
then freed with no explanation.

Hacking for a competitive edge

Rodney Hoffman <>
14 May 89 17:39:06 PDT (Sunday)
From the 'Los Angeles Times' 12-May-89:

   Two former Tampa, FL TV news managers have been charged with illegally
   tapping into phone lines and computers at another station to gain a
   news edge over their competitors.  Former new director Terry Cole and
   assistant news director Michael Shapiro at WTSP-TV have been charged
   with 17 counts of computer hacking and conspiracy in the theft of 
   information from WTVT-TV through computer phone lines, authorities
   said.  Their arraignment is set for May 19.  If convicted, each could
   face a maximum prison sentence of 85 years.  The two were fired from 
   WTSP when the station learned of the alleged thefts.  The break-ins
   began in November but were not noticed until Jan. 12, when WTVT's
   morning news producer noticed that files were missing, authorities 
   said.    Computer experts determined that an intruder had rifled the
   files.  Authorities said Spapiro knew WTVT's security system thoroughly
   because he had helped set it up while working there as an assignment
   manager befroe being hired away from WTVT in October.

I have no idea what sort of charge "17 counts of computer hacking and
conspiracy in the theft of information" really is.

Privacy of SSA records (update on RISKS-8.70)

Sat, 13 May 89 11:11:49 -0700
Two clarifications regarding the item in RISKS-8.70 on the record exchange
involving the Social Security Administration and TRW:

  - The proposed transfer of the social security records to TRW came to an
    end after the plan was disclosed at an April hearing of the Senate
    Committee on Aging.

  - The primary concern expressed by members of Congress was the privacy
  violation, not the cost to SSA.  Senator Pryor said that he was glad the SSA
  had "seen fit to preserve the confidentiality of the Social Security files.
  Unfortunately," he said, "this action comes to late to protect some 150,000
  people whose files were violated in a test run conducted for TRW [in 1987]
  and for more than 3 million people on whom verifications were conducted for
  Citibank and other firms in past years."  The HHS Inspector General also
  described these activities as "the largest breach of privacy in the history
  of the program."

As a matter of privacy law, the plan violated a general provision in the
1974 Privacy Act which states that no agency should disclose any record
unless it obtains the consent of the record subject or a particular
exemption applies.  (None applied in this case).

Some attorneys within SSA were not convinced that the language in the
Privacy Act was dispositive, but a decision of the Supreme Court a month
before the Senate hearing affirming the privacy of computerized criminal
records stored by the federal government tipped the balance in favor of
stopping the program.
                    - Marc Rotenberg

Please report problems with the web pages to the maintainer