From: Aaron Titus (privacyaarontitus.net)
Date: Mon Dec 01 2008 - 23:54:24 CST

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

 <http://www.nationalidwatch.org/redir.php?url=http://www.floridajobs.org>
The Florida Agency for Workforce Innovation (AWI, or Florida Jobs--
floridajobs.org) posted employment information and more than a quarter
million social security numbers online for at least one month, and perhaps
longer. The information included social security numbers of at least fifty
children.

Individuals who participated in the Florida Jobs One-Stop Program since 2002
may be at risk, and should go to National ID Watch
(http://www.nationalidwatch.org/) to find out whether they were affected.

In the course of developing a new employment website, AWI posted several
thousand Excel and text files containing millions of employment records.
These records contained:

* Between 255,917 and 259,193 Names and Social Security Numbers.
* 51 breached social security numbers belonged to children

Although some of the files have been on the server for more than six years,
AWI officials insist that the server was only connected to the internet for
about a month. Whether social security numbers were online for a month or
six years, they had no passwords, were not encrypted, and were not behind a
firewall. Anyone with an internet connection could access the names and
social security numbers.

The Liberty Coalition asked AWI the following questions:

1. Why did the Agency for Workforce Innovation store sensitive Excel
files on a server at all?
2. Why was this website left open to the public for more than a month,
undetected by AWI's IT department?
3. Why were the files on the server not behind a firewall, password
protected or encrypted?
4. How many other servers store sensitive personal information, and how
many of those are available to the public right now?
5. How many AWI employees have access to clients' social security
numbers, and do they all need access?
6. How do you plan to train employees to appropriately handle sensitive
personal information?
7. Do you have a regular schedule of scanning your internal networks
and external servers for personal information? If so, why was this breach
not discovered?
8. Does the Agency for Workforce Innovation intend to pay for identity
theft protection services for the victims of this breach?
9. Will the Agency notify victims by mail?

In response to these questions, an official answered in part, "The Agency
takes these matters very seriously, and the security of our customers'
confidential information is a number one priority. Although this was an
isolated incident which was quickly discovered and corrected, we are
examining the details of this issue very closely, and based on our findings,
will implement any necessary system modifications and will take appropriate
action in accordance with applicable law." The agency has or will take the
following steps:

* The Agency for Workforce Innovation quickly removed access to the
sensitive information within hours of becoming aware of the breach.
* The Agency quickly coordinated with search engines to remove cached
versions of the documents from the internet.
* The Agency will attempt to notify the victims of this breach by
mail.
* The Agency has hired a third party to assess network vulnerability.
* The Agency is working with the Florida Department of Law Enforcement
and the Office of the Attorney General.
* The Agency pledges to learn from its mistakes.

The Liberty Coalition commends the agency for these responsible steps, but
also notes the following:

* AWI has not offered to protect victims with identity theft
protection services.
* AWI relied on public search engines and a member of the public 800
miles away to discover the breach.
* The Agency should destroy the information, not just restrict access.
* We don't know how many other AWI servers are currently exposing
personal information.
* We question the need for AWI to collect minors' social security
numbers.
* AWI has not indicated how many employees have access to clients'
social security numbers, and whether these employees require access to
fulfil their job descriptions.
* AWI does not appear to regularly scans its networks for sensitive
personal information.

The Agency for Workforce Innovation has taken the files offline, though it's
too early to tell whether the Florida Jobs breach has resulted in identity
theft.

About NationalIDWatch.org

National ID Watch is a search engine for personal information breaches.
Sponsored by the Washington, DC non-profit Liberty Coalition
(http://www.libertycoalition.net), NationalIDWatch.org provides more than a
million free personalized Identity Exposure ReportsT as a public service.
Each Identity Exposure Report (IXR) documents what types of personal
information were exposed (such as Social Security Numbers, Birth Dates,
Addresses, etc.), without revealing them. Each IXR also details the
situation surrounding each exposure, and contact information of those
responsible for the breach. Armed with this information, victims can further
investigate, take action, or correct harm.

Source: <http://www.nationalidwatch.org/release.php?g=111>
http://www.nationalidwatch.org/release.php?g=111

-Aaron Titus

_______________________________________________
Dataloss Mailing List (datalossdatalossdb.org)

Tenable Network Security offers data leakage and compliance monitoring
solutions for large and small networks. Scan your network and monitor your
traffic to find the data needing protection before it leaks out!
http://www.tenablesecurity.com/products/compliance.shtml

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]