City of Minneola firefighters exposed on web
Technorati Tag: Security Breach
Date Reported:
3/16/08
Organization:
City of Minneola (FL)
Contractor/Consultant/Branch:
None
Victims:
City firefighters
Number Affected:
10
Types of Data:
"names, addresses, phone numbers and social security numbers"
Breach Description:
"The city of Minneola is being accused of violating federal, state and local laws. A union representative said several firefighters' personal information was posted on the city's web site for more than three days."
Reference URL:
Central Florida News 13
WFTV Channel 9 News
my FOX Orlando
Report Credit:
Central Florida News 13
Response:
From the online sources cited above:
The city of Minneola is being accused of violating federal, state and local laws. A union representative said several firefighters' personal information was posted on the city's web site for more than three days.
The Mayor of the Minneola says the personal addresses, phone numbers and Social Security numbers of ten firefighters were unknowingly made public after they were published on the city's website late last week.
[Evan] Although this breach only affects 10 individuals, it should not be minimized or considered insignificant. One is too many.
The city clerk accidentally published the information.
[Evan] We just discussed a breach concerning a county clerk last week in the "Oklahoma County Social Security numbers online" article. Now we have a city clerk error. Clerks have to be able to balance the need to disclose public information while ensuring that the private information stays confidential. No easy task and not a task to be taken lightly.
The city clerk was updating the agenda for this week's city council meeting where the city will vote on recognizing the new union.
"The city clerk in this case, she does hundreds of thousands of pieces of document. This one slipped by. It's nothing intentional. We apologize," said Minneola Mayor David Yeager.
"A man called one of our firefighters. The firefighter called the Chief who called the City Manager. The City Manager called myself and advised us that this was on the website and that it was not allowed to be on the website," said Minneola Mayor David Yeager.
The data was taken from applications that the firefighers had submitted to the city for union recognition.
According to Mayor Yeager, those applications were accidentally scanned by a city clerk and published by personnel in the IT (Information Technology) Department.
[Evan] It would be a good idea to have a quick information security review of information posted to the web site before it is published. I understand how human error just happens, but I think a second review by trained eyes could go a long way towards preventing similar circumstances in the future.
"The Privacy of Information Act was breached. There is not a counter, that we know of, as far as how many hits are on that website. As far as how many people got access to that or what type of people got access to that, we don't know," said a firefighter union spokesman, Joe Garbaravage.
[Evan] There is on most web servers. Almost all web servers log access attempts. It may be possible that logging were not enabled (bad practice).
"I'm not sure how many people actively search the website," said Minneola firefighter Bradley Mattingly, responding to whether or not he was concerned about his personal information getting into criminal hands. "But there's also the unknown," he added.
Some firefighters said they're satisfied with the city's quick response to fix the problem, but sources told Eyewitness News that other firefighters feel like the incident is retaliation.
[Evan] Interesting. Purposeful personal information disclosure as a weapon. I doubt that this is the case with this breach, but an interesting angle that I hadn't really given much thought to.
The mayor said no one will be reprimanded since the mistake was a case of human error. The city also said it will give firefighters one free year of a credit monitoring service.
Commentary:
Given the two breaches attributed to clerks (one county and one city) in the past week, it is obvious that they hold a very important role in keeping personal information private. How many clerks would you guess receive formal information security training? Do you suppose that only one person is responsible for all of the information management including the determination of what should be public and what should be private? This seems like a heckuva lot of responsibility for one person.
My thoughts are mixed on the "disclosure as a weapon" concept. Could happen, but probably not very likely. Other causes of disclosure are much more probable.
Past Breaches:
Unknown
Date Reported:3/16/08
Organization:
City of Minneola (FL)
Contractor/Consultant/Branch:
None
Victims:
City firefighters
Number Affected:
10
Types of Data:
"names, addresses, phone numbers and social security numbers"
Breach Description:
"The city of Minneola is being accused of violating federal, state and local laws. A union representative said several firefighters' personal information was posted on the city's web site for more than three days."
Reference URL:
Central Florida News 13
WFTV Channel 9 News
my FOX Orlando
Report Credit:
Central Florida News 13
Response:
From the online sources cited above:
The city of Minneola is being accused of violating federal, state and local laws. A union representative said several firefighters' personal information was posted on the city's web site for more than three days.
The Mayor of the Minneola says the personal addresses, phone numbers and Social Security numbers of ten firefighters were unknowingly made public after they were published on the city's website late last week.
[Evan] Although this breach only affects 10 individuals, it should not be minimized or considered insignificant. One is too many.
The city clerk accidentally published the information.
[Evan] We just discussed a breach concerning a county clerk last week in the "Oklahoma County Social Security numbers online" article. Now we have a city clerk error. Clerks have to be able to balance the need to disclose public information while ensuring that the private information stays confidential. No easy task and not a task to be taken lightly.
The city clerk was updating the agenda for this week's city council meeting where the city will vote on recognizing the new union.
"The city clerk in this case, she does hundreds of thousands of pieces of document. This one slipped by. It's nothing intentional. We apologize," said Minneola Mayor David Yeager.
"A man called one of our firefighters. The firefighter called the Chief who called the City Manager. The City Manager called myself and advised us that this was on the website and that it was not allowed to be on the website," said Minneola Mayor David Yeager.
The data was taken from applications that the firefighers had submitted to the city for union recognition.
According to Mayor Yeager, those applications were accidentally scanned by a city clerk and published by personnel in the IT (Information Technology) Department.
[Evan] It would be a good idea to have a quick information security review of information posted to the web site before it is published. I understand how human error just happens, but I think a second review by trained eyes could go a long way towards preventing similar circumstances in the future.
"The Privacy of Information Act was breached. There is not a counter, that we know of, as far as how many hits are on that website. As far as how many people got access to that or what type of people got access to that, we don't know," said a firefighter union spokesman, Joe Garbaravage.
[Evan] There is on most web servers. Almost all web servers log access attempts. It may be possible that logging were not enabled (bad practice).
"I'm not sure how many people actively search the website," said Minneola firefighter Bradley Mattingly, responding to whether or not he was concerned about his personal information getting into criminal hands. "But there's also the unknown," he added.
Some firefighters said they're satisfied with the city's quick response to fix the problem, but sources told Eyewitness News that other firefighters feel like the incident is retaliation.
[Evan] Interesting. Purposeful personal information disclosure as a weapon. I doubt that this is the case with this breach, but an interesting angle that I hadn't really given much thought to.
The mayor said no one will be reprimanded since the mistake was a case of human error. The city also said it will give firefighters one free year of a credit monitoring service.
Commentary:
Given the two breaches attributed to clerks (one county and one city) in the past week, it is obvious that they hold a very important role in keeping personal information private. How many clerks would you guess receive formal information security training? Do you suppose that only one person is responsible for all of the information management including the determination of what should be public and what should be private? This seems like a heckuva lot of responsibility for one person.
My thoughts are mixed on the "disclosure as a weapon" concept. Could happen, but probably not very likely. Other causes of disclosure are much more probable.
Past Breaches:
Unknown
Posts Atom 1.0
Comments