As mentioned in recent posts, the current issue of IRW features an article covering incidents where social security numbers (SSNs) have been leaked to the Web. Along the same line, a cardinal rule in Web security is to never provide a connection between an intranet and the Internet. Once such a connection is established (hardware-based or via links), chances are that you no longer have an intranet. So, why take the risks?

In addition, never place sensitive information in a test server with access to the Web. Unfortunately the first offenders frequently are government agencies and universities. Stubborn IT administrators never get it!

For instance adding insult to injury, here is a report from the Orlando Sentinel, wherein 250,000+ users accounts containing SSNs were compromised:

http://blogs.orlandosentinel.com/news_politics/2008/12/state-agency-pu.html

According to this news and quote:

“The state Agency for Workforce Innovation blamed a “security breach” Wednesday for why it accidentally placed the names and Social Security numbers of 250,000 job-seekers on a “test server” that could have been accessed online.”

“The names and information were online for 19 days and removed in late October after the state Department of Revenue came across it during “routine work,” officials said. The only common denominator among the names placed online was that they all got services over the last six years from one of the 81 Florida “career centers” that provide job-training and resources around the state.”

The breach is giving bad publicity to Agency for Workforce Innovation (AWI). According to http://infosecurity.us/?p=4041, the Liberty Coalition asked AWI the following questions:

  1. Why did the Agency for Workforce Innovation store sensitive Excel files on a server at all?
  2. Why was this website left open to the public for more than a month, undetected by AWI’s IT department?
  3. Why were the files on the server not behind a firewall, password protected or encrypted?
  4. How many other servers store sensitive personal information, and how many of those are available to the public right now?
  5. How many AWI employees have access to clients’ social security numbers, and do they all need access?
  6. How do you plan to train employees to appropriately handle sensitive personal information?
  7. Do you have a regular schedule of scanning your internal networks and external servers for personal information? If so, why was this breach not discovered?
  8. Does the Agency for Workforce Innovation intend to pay for identity theft protection services for the victims of this breach?
  9. Will the Agency notify victims by mail?

Infosecurity states that the Liberty Coalition has raised the following issues:

  1. AWI has not offered to protect victims with identity theft protection services.
  2. AWI relied on public search engines and a member of the public 800 miles away to discover the breach.
  3. The Agency should destroy the information, not just restrict access.
  4. How many other AWI servers are currently exposing personal information.
  5. Why the need for AWI to collect minors’ social security numbers.
  6. AWI has not indicated how many employees have access to clients’ social security numbers, and whether these employees require access to fulfil their job descriptions.
  7. AWI does not appear to regularly scans its networks for sensitive personal information.

To play pr/damage control after the facts and gross incompetence, the FloridaJobs.org site published the following:

“The Agency for Workforce Innovation is continuing to take action to address a security breach that recently occurred on a test server. Upon discovery, the Agency immediately contacted the appropriate law enforcement agencies, began a thorough investigation and promptly coordinated with all major external search engine companies to ensure the information was no longer accessible to the public. The Agency has no reason to believe any personal information has been accessed for unlawful purposes.”
http://www.floridajobs.org/publications/news_rel/securityBreach.html

They have “no reason to believe any personal information has been accessed for unlawful purposes.” Good pr try. How do they know that? After their comedy of errors, why would anyone want to submit resumes to their databases? The rest of their pr excuses are a wall of smoke.

Note also how they quickly contacted search engines, just in case these have indexed the documents. At least they are realizing the power of search engines. Chances are they have cached copies of these documents.

Advertisements