Department of Business & Professional Regulation is notifying 150 people
Technorati Tag: Security Breach
Date Reported:
7/18/08
Organization:
State of Florida
Contractor/Consultant/Branch:
Department of Business and Professional Regulation ("DBPR")
Victims:
Complainants
Number Affected:
150
Types of Data:
"personal information"
Breach Description:
"TALLAHASSEE, Fla. - The Department of Business and Professional Regulation is notifying 150 people that they should check their credit reports.
A department employee is accused of unsuccessfully trying to get credit cards with personal information the agency received on complaint forms."
Reference URL:
Fort Mill Times
Associated Press via WCTV Channel 4 News
Report Credit:
Fort Mill Times
Response:
From the online sources cited above:
TALLAHASSEE, Fla. - The Department of Business and Professional Regulation is notifying 150 people that they should check their credit reports.
A department employee is accused of unsuccessfully trying to get credit cards with personal information the agency received on complaint forms.
[Evan] At least the employee was not successful in getting these credit cards. I suppose she might have been successful in other attempts (if they were made).
Casselberry police told the department that the woman used three people's names and information to apply for the cards.
[Evan] Good job by the Casselberry police.
The employee was fired.
The department would not provide her name.
Officials say the employee abused the access to personal information that her position granted her.
[Evan] Privilege escalation. I wonder if she had to manipulate her technical privileges in order to obtain access or if access was just there to begin with and she went outside of her implied boundaries.
Department spokeswoman Jenn Meale said people filing the complaints provided more personal information than the department normally requests.
[Evan] Two problems here. One is the tendency for people to provide more information than they should without questioning. The second is the department’s decision to collect and store more information than what is needed. If a person provides too much information and some of that information is sensitive, discard it (securely).
Anyone who filed a complaint form that could have been reviewed by the woman is being contacted by the department.
"In an abundance of caution the Secretary took it upon himself to inform about 150 or so customers who she had access to their personal information so that they can be on the lookout for any misuse in their personal financial accounts," says Jenn Meale, Communications Director at DBPR.
[Evan] There's the "abundance of caution" phrase again. Ugh. What's with "the Secretary took it upon himself"? Is someone trying butter up?
Commentary:
A bad apple is a bad apple. We try to pick them out before we plant them with background checks and other hiring procedures, but some will inevitably get through or turn bad after the fact. The question then becomes what mitigating controls can we put in place to limit risk?
Past Breaches:
State of Florida:
July, 2008 - Florida's Agency for Health Care Administration reports a breach
January, 2008 - Five stolen Florida Department of Children and Families laptops
Date Reported:7/18/08
Organization:
State of Florida
Contractor/Consultant/Branch:
Department of Business and Professional Regulation ("DBPR")
Victims:
Complainants
Number Affected:
150
Types of Data:
"personal information"
Breach Description:
"TALLAHASSEE, Fla. - The Department of Business and Professional Regulation is notifying 150 people that they should check their credit reports.
A department employee is accused of unsuccessfully trying to get credit cards with personal information the agency received on complaint forms."
Reference URL:
Fort Mill Times
Associated Press via WCTV Channel 4 News
Report Credit:
Fort Mill Times
Response:
From the online sources cited above:
TALLAHASSEE, Fla. - The Department of Business and Professional Regulation is notifying 150 people that they should check their credit reports.
A department employee is accused of unsuccessfully trying to get credit cards with personal information the agency received on complaint forms.
[Evan] At least the employee was not successful in getting these credit cards. I suppose she might have been successful in other attempts (if they were made).
Casselberry police told the department that the woman used three people's names and information to apply for the cards.
[Evan] Good job by the Casselberry police.
The employee was fired.
The department would not provide her name.
Officials say the employee abused the access to personal information that her position granted her.
[Evan] Privilege escalation. I wonder if she had to manipulate her technical privileges in order to obtain access or if access was just there to begin with and she went outside of her implied boundaries.
Department spokeswoman Jenn Meale said people filing the complaints provided more personal information than the department normally requests.
[Evan] Two problems here. One is the tendency for people to provide more information than they should without questioning. The second is the department’s decision to collect and store more information than what is needed. If a person provides too much information and some of that information is sensitive, discard it (securely).
Anyone who filed a complaint form that could have been reviewed by the woman is being contacted by the department.
"In an abundance of caution the Secretary took it upon himself to inform about 150 or so customers who she had access to their personal information so that they can be on the lookout for any misuse in their personal financial accounts," says Jenn Meale, Communications Director at DBPR.
[Evan] There's the "abundance of caution" phrase again. Ugh. What's with "the Secretary took it upon himself"? Is someone trying butter up?
Commentary:
A bad apple is a bad apple. We try to pick them out before we plant them with background checks and other hiring procedures, but some will inevitably get through or turn bad after the fact. The question then becomes what mitigating controls can we put in place to limit risk?
Past Breaches:
State of Florida:
July, 2008 - Florida's Agency for Health Care Administration reports a breach
January, 2008 - Five stolen Florida Department of Children and Families laptops
Posts Atom 1.0
Comments