Oklahoma County Social Security numbers online
Technorati Tag: Security Breach
Date Reported:
3/11/08
Organization:
Oklahoma County
Contractor/Consultant/Branch:
Office of the County Clerk
Victims:
Oklahoma County residents
Number Affected:
"thousands"
Types of Data:
Information found on court documents including many Social Security numbers
Breach Description:
"The Social Security numbers of thousands of Oklahoma County residents are available on County Clerk Carolynn Caudill's website to anyone who wants to look, apparently in violation of federal law."
Reference URL:
Tulsa Today
Report Credit:
Mike McCarville, Tulsa Today
Response:
From the online source cited above:
The Social Security numbers of thousands of Oklahoma County residents are available on County Clerk Carolynn Caudill's website to anyone who wants to look, apparently in violation of federal law.
The numbers are contained on numerous documents filed of record in the county and are easily found by anyone with computerized research experience.
Social Security numbers of numerous prominent Oklahoma County residents were found with ease and in no case did we find a document where the Social Security number had been redacted, or blacked out, as is required under federal law.
Almost all of some 8.7 million documents - 17 million pages - are online, from mortgage documents, mineral deeds, liens and other legal "papers," from original land patents granted after the Land Run of 1889 to last week’s property deals, said Mark Mishoe, chief deputy for County Clerk Carolynn Caudill
While the Social Security numbers appear to have been available for several years on the clerk's site, it's been only recently that others have discovered them.
there are no reports yet of identity theft as a result so far as could be determined
[Evan] I don't know how it would be possible to determine identity theft victims if the information has been online for "several years".
Those discoveries apparently resulted in protests made to Caudill, who at tomorrow's Board of County Commissioner's meeting will request a requisition of almost $30,000 to hire a firm to begin redacting the numbers.
The board's agenda contains this item:
28. Discussion and possible action for approval of Statement of Work, HTC Global Services Inc., Redaction Quality Check Services.
[Evan] According to the Statement of Work (SOW), a company named AmCad performed the original redaction. It's not clear who is responsible for ongoing redaction for newly posted documents. Does an employee with the County Clerk's office have this responsibility? Where is the process failing that allows non-redacted documents to be posted? I'm glad that the county is taking steps to remediate the immediate exposure, but what will they do to prevent this from occurring again?
Easily located on Caudill's site were the Social Security numbers of television news anchors, public officials and prominent business leaders.
[Evan] Finding confidential information that affects prominent persons is a ticket to getting attention.
Commentary:
I could find nothing posted about this breach on the Oklahoma County or County Clerk web sites. I could not find any other news stories to corroborate this story either.
Security issues surrounding the duties of county clerks can be challenging from both a confidentiality and an integrity standpoint. I have seen instances where court decisions were made based on publicly available court documents that were inaccurate. Then there are cases where court documents should be public in whole, but contain sensitive confidential information in the details. What effective process should be in place to review court documents for accuracy and information sensitivity?
Does the county have an obligation to notify the residents that were affected by this breach? I think that they do ethically, but after a quick search I was not able to find anything legally binding.
Past Breaches:
Unknown
Date Reported:3/11/08
Organization:
Oklahoma County
Contractor/Consultant/Branch:
Office of the County Clerk
Victims:
Oklahoma County residents
Number Affected:
"thousands"
Types of Data:
Information found on court documents including many Social Security numbers
Breach Description:
"The Social Security numbers of thousands of Oklahoma County residents are available on County Clerk Carolynn Caudill's website to anyone who wants to look, apparently in violation of federal law."
Reference URL:
Tulsa Today
Report Credit:
Mike McCarville, Tulsa Today
Response:
From the online source cited above:
The Social Security numbers of thousands of Oklahoma County residents are available on County Clerk Carolynn Caudill's website to anyone who wants to look, apparently in violation of federal law.
The numbers are contained on numerous documents filed of record in the county and are easily found by anyone with computerized research experience.
Social Security numbers of numerous prominent Oklahoma County residents were found with ease and in no case did we find a document where the Social Security number had been redacted, or blacked out, as is required under federal law.
Almost all of some 8.7 million documents - 17 million pages - are online, from mortgage documents, mineral deeds, liens and other legal "papers," from original land patents granted after the Land Run of 1889 to last week’s property deals, said Mark Mishoe, chief deputy for County Clerk Carolynn Caudill
While the Social Security numbers appear to have been available for several years on the clerk's site, it's been only recently that others have discovered them.
there are no reports yet of identity theft as a result so far as could be determined
[Evan] I don't know how it would be possible to determine identity theft victims if the information has been online for "several years".
Those discoveries apparently resulted in protests made to Caudill, who at tomorrow's Board of County Commissioner's meeting will request a requisition of almost $30,000 to hire a firm to begin redacting the numbers.
The board's agenda contains this item:
28. Discussion and possible action for approval of Statement of Work, HTC Global Services Inc., Redaction Quality Check Services.
[Evan] According to the Statement of Work (SOW), a company named AmCad performed the original redaction. It's not clear who is responsible for ongoing redaction for newly posted documents. Does an employee with the County Clerk's office have this responsibility? Where is the process failing that allows non-redacted documents to be posted? I'm glad that the county is taking steps to remediate the immediate exposure, but what will they do to prevent this from occurring again?
Easily located on Caudill's site were the Social Security numbers of television news anchors, public officials and prominent business leaders.
[Evan] Finding confidential information that affects prominent persons is a ticket to getting attention.
Commentary:
I could find nothing posted about this breach on the Oklahoma County or County Clerk web sites. I could not find any other news stories to corroborate this story either.
Security issues surrounding the duties of county clerks can be challenging from both a confidentiality and an integrity standpoint. I have seen instances where court decisions were made based on publicly available court documents that were inaccurate. Then there are cases where court documents should be public in whole, but contain sensitive confidential information in the details. What effective process should be in place to review court documents for accuracy and information sensitivity?
Does the county have an obligation to notify the residents that were affected by this breach? I think that they do ethically, but after a quick search I was not able to find anything legally binding.
Past Breaches:
Unknown
Posts Atom 1.0
Comments