Cache Comes Back to Bite York County Constables
Technorati Tag: Security Breach
Date Reported:
9/18/07
Organization:
York County Pennsylvania
Contractor/Consultant:
Clerk of Courts
Victims:
York County constables
Number Affected:
Unknown
Types of Data:
Name, address, phone number, and Social Security number.
Breach Description:
York County Clerk of Courts Don O'Shell inadvertently posted an Excel spreadsheet to the county Internet site containing sensitive data about various county constables. The spreadsheet was removed last year, but recently cached versions were discovered on various search engines.
Reference URL:
http://www.ydr.com/newsfull/ci_6926394
Report Credit:
Teresa Ann Boeckel, York Daily Record
Response:
From the online resource mentioned above:
"York County Clerk of Courts Don O'Shell apologized Monday for inadvertently posting personal information about some of the constables, including their Social Security numbers, on the county's Web site."
"I'm personally very sorry this all happened," O'Shell said Monday. "It was a simple error on my part."
[Comfyllama] It would stink to be named publicly as the single person to blame for a security breach due to a seemingly innocent mistake. I feel sad for the guy.
"The county removed the sensitive information from the Web site last year, days after it was posted, O'Shell said. But officials didn't realize it had been cached on Internet search engines until a constable Googled his name during the summer."
"The constables, though, are "outraged" and each one is considering legal avenues based on credit and safety, said their attorney, Chris Ferro."
[Comfyllama] Uh oh, attorneys are involved.
"The release did not affect all of the constables"
"He Carl Barley, president of the York County Constables Association said three constables have had problems with identity theft in the past year, but he had no idea whether it was related to the county's release of their personal information."-Carl Barley, President of the York County Constables Association.
It could be years, though, before a problem arises, Barley said.
[Comfyllama] Absolutely. People tend to think of their current circumstances much more so than they do about long term possibilities and consequences.
"Barley said that, earlier this month, he found a copy of the sensitive information laying in a cubicle in the Clerk of Courts office where people had access to it. County solicitor Mike Flannelly said it was not in a public area."
[Comfyllama] Public or not, confidential information is meant for people who have a "need to know" only. There were obviously people with access to the copy that did not have a "need to know".
"officials didn't realize it already had been cached on Internet search engines until Barley Googled his name in July and brought it to the courts' attention."
O'Shell contacted Google's legal department, which indicated it would take four to six weeks to remove the personal information unless a judge issued a court order, which would speed up the request."
[Comfyllama] I did not know this information. Good stuff to know if you (or I) ever run into a similar situation.
"President Judge Richard K. Renn issued an order July 6 that Google immediately remove from its tracker, cache and all other data and identifiers of the constables."
"Officials later found out the information was on MSN, too, and, with the help of U.S. Sen. Arlen Specter's office, Microsoft was contacted to remove it as well."
[Comfyllama] Wow, a U.S. Senator!
Commentary:
This is an interesting story of a "simple mistake" that has the potential to impact multiple lives. Although I feel bad for Mr. O'Shell, it is obvious that this department desperately needs some good information security training and awareness.
A cached example of where the file used to be (since removed):

A cached search showing what the file name was, 6-20-06.xls:

IMPORTANT: If you need to respond to an inadvertent posting to the Internet of sensitive data, do NOT forget about what the search engines may have cached. It is simple to check if the information is cached, but life sucks if you forget.
Past Breaches:
Unknown
Date Reported:

Organization:
York County Pennsylvania
Contractor/Consultant:
Clerk of Courts
Victims:
York County constables
Number Affected:
Unknown
Types of Data:
Name, address, phone number, and Social Security number.
Breach Description:
York County Clerk of Courts Don O'Shell inadvertently posted an Excel spreadsheet to the county Internet site containing sensitive data about various county constables. The spreadsheet was removed last year, but recently cached versions were discovered on various search engines.
Reference URL:
http://www.ydr.com/newsfull/ci_6926394
Report Credit:
Teresa Ann Boeckel, York Daily Record
Response:
From the online resource mentioned above:
"York County Clerk of Courts Don O'Shell apologized Monday for inadvertently posting personal information about some of the constables, including their Social Security numbers, on the county's Web site."
"I'm personally very sorry this all happened," O'Shell said Monday. "It was a simple error on my part."
[Comfyllama] It would stink to be named publicly as the single person to blame for a security breach due to a seemingly innocent mistake. I feel sad for the guy.
"The county removed the sensitive information from the Web site last year, days after it was posted, O'Shell said. But officials didn't realize it had been cached on Internet search engines until a constable Googled his name during the summer."
"The constables, though, are "outraged" and each one is considering legal avenues based on credit and safety, said their attorney, Chris Ferro."
[Comfyllama] Uh oh, attorneys are involved.
"The release did not affect all of the constables"
"He Carl Barley, president of the York County Constables Association said three constables have had problems with identity theft in the past year, but he had no idea whether it was related to the county's release of their personal information."-Carl Barley, President of the York County Constables Association.
It could be years, though, before a problem arises, Barley said.
[Comfyllama] Absolutely. People tend to think of their current circumstances much more so than they do about long term possibilities and consequences.
"Barley said that, earlier this month, he found a copy of the sensitive information laying in a cubicle in the Clerk of Courts office where people had access to it. County solicitor Mike Flannelly said it was not in a public area."
[Comfyllama] Public or not, confidential information is meant for people who have a "need to know" only. There were obviously people with access to the copy that did not have a "need to know".
"officials didn't realize it already had been cached on Internet search engines until Barley Googled his name in July and brought it to the courts' attention."
O'Shell contacted Google's legal department, which indicated it would take four to six weeks to remove the personal information unless a judge issued a court order, which would speed up the request."
[Comfyllama] I did not know this information. Good stuff to know if you (or I) ever run into a similar situation.
"President Judge Richard K. Renn issued an order July 6 that Google immediately remove from its tracker, cache and all other data and identifiers of the constables."
"Officials later found out the information was on MSN, too, and, with the help of U.S. Sen. Arlen Specter's office, Microsoft was contacted to remove it as well."
[Comfyllama] Wow, a U.S. Senator!
Commentary:
This is an interesting story of a "simple mistake" that has the potential to impact multiple lives. Although I feel bad for Mr. O'Shell, it is obvious that this department desperately needs some good information security training and awareness.
A cached example of where the file used to be (since removed):

A cached search showing what the file name was, 6-20-06.xls:

IMPORTANT: If you need to respond to an inadvertent posting to the Internet of sensitive data, do NOT forget about what the search engines may have cached. It is simple to check if the information is cached, but life sucks if you forget.
Past Breaches:
Unknown
Comments