"Metro" employee information mistakenly posted to Web
Technorati Tag: Security Breach
Date Reported:
7/14/08
Organization:
Washington Metropolitan Area Transit Authority ("Metro")
Contractor/Consultant/Branch:
None
Victims:
"past and present employees"
Number Affected:
4,675
Types of Data:
Names and Social Security numbers
Breach Description:
"Metro has advised nearly 4,700 past and present employees that their social security numbers were published accidentally on the transit agency’s Web site last month."
Reference URL:
Metro Press Release
Associated Press via Forbes.com
NBC Channel 4 News
The Washington Post
Report Credit:
Washington Metropolitan Area Transit Authority
Response:
From the online sources cited above:
Metro has advised nearly 4,700 past and present employees that their social security numbers were published accidentally on the transit agency’s Web site last month.
The information was posted between June 9 and 25 as part of a solicitation from Metro to companies interested in providing worker’s compensation and risk management services.
[Evan] Rather than post this information to a public web site, why wasn't a more secure method of tranmission used such as VPN or secure FTP?
The document mistakenly included the social security numbers of 4,675 employees.
[Evan] According to Metro spokeswoman Candace Smith the sensitive information was supposed to be redacted. I wonder how well this mandate was communicated to the employee(s) responsible for compiling and posting the information.
A smaller group of employees had their names and social security numbers posted in the lengthy document. Metro officials continue to analyze the information for any other data breaches.
Three Metro employees have been disciplined
The three disciplined employees, including a manager, have been suspended for up to a month without pay, officials said.
[Evan] This implies that the employees responsible for the mistake should have known better. We can probably assume that they were informed of the proper procedure, but did not follow it.
Letters warning of the breach were sent out to the affected employees.
The letter urges employees to watch their credit reports for signs of identity theft.
Last week, the agency set up a separate Web site where employees can determine whether their numbers were among those posted.
The agency is offering the 4,700 employees one year of free credit report monitoring, $25,000 in identity theft insurance and counseling services.
"We deeply regret this incident, and believe the likelihood of misuse of the information is low," said Metro Chief Safety Officer Ronald Keele.
"However, we have taken additional steps to protect employee information by bolstering Internet security and requiring more checks and balances of materials before they are being released publicly."
[Evan] Checks and balances are typically lacking in these types of breaches, so I think it’s a good sign that Metro is addressing these.
Metro officials say they are not alone in this type of data breach.
[Evan] So what?
According to the Identity Theft Resource Center, data breaches at businesses, governments and universities were up 69 percent in the first half of 2008 compared with a similar period in 2007.
Commentary:
The end result of this oversight is three disciplined employees (with no pay for a month) and nearly 4,700 people with an increased risk of identity theft. Forethought is there for a reason, whether or not you use it is your choice.
Past Breaches:
Unknown
Date Reported: 7/14/08
Organization:
Washington Metropolitan Area Transit Authority ("Metro")
Contractor/Consultant/Branch:
None
Victims:
"past and present employees"
Number Affected:
4,675
Types of Data:
Names and Social Security numbers
Breach Description:
"Metro has advised nearly 4,700 past and present employees that their social security numbers were published accidentally on the transit agency’s Web site last month."
Reference URL:
Metro Press Release
Associated Press via Forbes.com
NBC Channel 4 News
The Washington Post
Report Credit:
Washington Metropolitan Area Transit Authority
Response:
From the online sources cited above:
Metro has advised nearly 4,700 past and present employees that their social security numbers were published accidentally on the transit agency’s Web site last month.
The information was posted between June 9 and 25 as part of a solicitation from Metro to companies interested in providing worker’s compensation and risk management services.
[Evan] Rather than post this information to a public web site, why wasn't a more secure method of tranmission used such as VPN or secure FTP?
The document mistakenly included the social security numbers of 4,675 employees.
[Evan] According to Metro spokeswoman Candace Smith the sensitive information was supposed to be redacted. I wonder how well this mandate was communicated to the employee(s) responsible for compiling and posting the information.
A smaller group of employees had their names and social security numbers posted in the lengthy document. Metro officials continue to analyze the information for any other data breaches.
Three Metro employees have been disciplined
The three disciplined employees, including a manager, have been suspended for up to a month without pay, officials said.
[Evan] This implies that the employees responsible for the mistake should have known better. We can probably assume that they were informed of the proper procedure, but did not follow it.
Letters warning of the breach were sent out to the affected employees.
The letter urges employees to watch their credit reports for signs of identity theft.
Last week, the agency set up a separate Web site where employees can determine whether their numbers were among those posted.
The agency is offering the 4,700 employees one year of free credit report monitoring, $25,000 in identity theft insurance and counseling services.
"We deeply regret this incident, and believe the likelihood of misuse of the information is low," said Metro Chief Safety Officer Ronald Keele.
"However, we have taken additional steps to protect employee information by bolstering Internet security and requiring more checks and balances of materials before they are being released publicly."
[Evan] Checks and balances are typically lacking in these types of breaches, so I think it’s a good sign that Metro is addressing these.
Metro officials say they are not alone in this type of data breach.
[Evan] So what?
According to the Identity Theft Resource Center, data breaches at businesses, governments and universities were up 69 percent in the first half of 2008 compared with a similar period in 2007.
Commentary:
The end result of this oversight is three disciplined employees (with no pay for a month) and nearly 4,700 people with an increased risk of identity theft. Forethought is there for a reason, whether or not you use it is your choice.
Past Breaches:
Unknown
Comments