Three counties with privacy concerns, how many more?
Technorati Tag: Security Breach
Date Reported:
August, 2008
Organization:
Monroe County (NY)
Collier County (FL)
Milwaukee County (WI)
and others…
Contractor/Consultant/Branch:
None
Victims:
Residents
Number Affected:
Unknown
Types of Data:
Names, addresses, dates of birth, Social Security numbers, and other personal information
Breach Description:
In the past two weeks it has been reported that Monroe County, New York, Collier County, Florida, and Milwaukee County, Wisconsin all make sensitive personal information available to anyone willing to take the time and effort to access it. The Monroe County Clerk web site reportedly makes U.S. Bankruptcy Court documents available online that are not redacted, the Collier County Clerk of Courts makes court documents displaying personal information available as a matter of public record, and a news reporter in Milwaukee demonstrates how he was able to access "thousands" of sensitive personal records from public access systems.
Reference URL:
Monroe County - WHAM Channel 13 News
Collier County - WINK News
Milwaukee County - WUWM News
Report Credit:
Various
Response:
From the online sources cited above:
Monroe County:
(Rochester, N.Y.) - The Democratic candidate running for Monroe County Clerk said old records on the clerk's new Web site contain Social Security numbers that should not be there.
[Evan] The Monroe County report really has seems to have a political motive behind the disclosure. Just in case anyone was curious, I don't think information security has anything to do with your political affiliation.
County Clerk Cheryl DiNolfo said her staff is working to redact, or remove, Social Security numbers from the isolated documents that contain them online.
She said her opponent, Tom Hasman, is doing more harm than good by pointing this out, and could have just called her if he found someone's Social Security number on her Web site.
[Evan] There may be some truth to this. Most of us give the organization responsible a chance to clean up and contain prior to public disclosure. If protection of the victims were the motive, then the disclosure might have been handled a little differently. I am sure Mr. Hasman wants to score a win on this point, so he has incentive to get word out.
For the past two-and-a-half years, signs have warned county clerk customers not to file documents with Social Security numbers.
However, after a Web site upgrade this summer, users can now access millions of pages of older documents.
Hasman is calling for DiNolfo to take down the site.
[Evan] If sensitive information is still available, then this seems like a reasonable request.
"There is no higher responsibility of the county clerk than to keep our records safe. With this serious error occurring on her watch, Clerk DiNolfo has proven to us that she is not only irresponsible but she is not qualified to safeguard our records," he said
Though it’s true that DiNolfo's staff is looking to individually redact Social Security numbers from older documents, with 15-million pages to sift through, there's no guarantee when that will be completed.
[Evan] This is one of the problems in trying to secure something that was not built with security in mind.
Only certain documents appear to be at risk, such as foreclosures or bankruptcy filings dating back to 2000 through 2003.
If hackers can locate these documents, the risk of ID theft is real.
[Evan] The word "hackers" sounds so much more impressive doesn't it? It doesn't take much hacking to get at sensitive information that is readily available.
Anyone can also get a hard copy of these papers by showing up in person.
Hasman, who works in computer security, says pulling down the site is the responsible thing to do.
[Evan] "Tom currently works from home as a Senior Information Security Analyst in Rochester, NY for SRA International of Arlington, VA. As a Senior Information Security Analyst, Tom assists government departments such as Treasury and Homeland Security in protecting their computer systems and vital records from cyber-threats." (Source: About Tom Hasman) Maybe Democrats are better at securing information! (Kidding.)
DiNolfo says it's tough to argue, but it's not political when a press conference is pointing people to Social Security numbers.
Collier County:
Court documents containing your social security numbers, bank account numbers, and other personal information are available as public record.
[Evan] Sensitive private information in the public record. Does anyone else see a problem with this statement?
Michael Gooley was arrested last weekend for a traffic violation. We found his personal information at the Collier County Clerk of Courts.
"I didn't know that my social security and pretty much everything else everybody needed to get whatever they wanted from me," Gooley said.
The information was available to view for free or printed copies could be purchased for a dollar a page. One page had enough information to open a credit card online in Gooley's name.
Dwight Brock is the Clerk of Court in Collier County.
"There is a good chance under the law that there are public records available for anybody to come in and get," Brock said.
An attorney we spoke with at the State Attorney's Office says state laws governing the release of personal information have not been challenged or clarified, meaning it's up to each court to establish it's own policy.
[Evan] How does this make sense?
Regardless, the law says that you can ask the court to remove your personal information from the file.
[Evan] Assuming you know how and assuming you know what information that county has collected about you.
"Identify for us what it is you want redacted from it, relative to your social security number or bank account number and at no cost we will redact that information before we ever give that out to the public," Brock said.
[Evan] I was actually surprised to read that there is no cost. It seems plausible that some counties could "justify" charging a fee for this.
According to law, such request must be made in writing by mail, fax, or email, or delivered in person, to the Clerk of Courts recording department.
[Evan] Collier County Clerk of Courts contact information is here.
Milwaukee County:
WUWM News Intern Matt Schultz thought he’d test how easy or difficult it is to access personal information, including in downtown Milwaukee.
[Evan] Gutsy
I started my search on the computer at work.
[Evan] I wouldn't necessarily try this at your work.
It took me only a few hours to find 30 different social security numbers, all of which were assigned to physicians.
One of them, Dr. James Stiehl, lives in Milwaukee, so I gave him a call.
[MATT SCHULTZ] "I do have two different social security numbers for you. One’s corporate and I’m assuming one is your birth one. And the one I have here is XXX-XX-XXXX. That is correct?"
[DR. STIEHL] Yes.
[MATT SCHULTZ] "Do you have any idea on how I would have gotten this information?"
[DR. STIEHL] Nope.
Next, I headed to the Register of Deeds Office at the Milwaukee County Courthouse.
A clerk showed me how to use the free public terminals to search through deeds, mortgages and bankruptcy files, places I thought I might find social security numbers, but didn't find any there.
Larry Eckert is the Deputy Register of Deeds. He says a social security number isn’t on every document.
“The only vital record that has a social security number that the public can see is a death record," says Eckert.
[Evan] Au contraire.
Undaunted I continued my search, and despite Eckert’s assurances, found a wealth of personal information on other documents: people’s signatures, telephone numbers, addresses and social security numbers.
Before lunch I had gained access to thousands of names, social security numbers, addresses and telephone numbers.
[Evan] Thousands before lunch!?
I asked Deputy Register of Deeds Eckert if there’s a way to remove personal information from the public records so it can’t be stolen and abused.
“I have no idea if there’s a way to change them," Eckert says.
A state government employee says there is a way to purge some personal information. David Tatar manages Wisconsin’s Office of Privacy Protection.
“Most agencies including our own will redact any personal identifiable information to protect the public and we certainly do that on a routine basis. So when it comes to public records, that does not mean that anyone can request that personal information and get it", Tatar says.
Despite the availability of personal information in some government data bases, Paul Stephens says people should not be overly alarmed. Stephens works for the Privacy Rights Clearinghouse, a consumer advocacy group based in San Diego.
[Evan] I agree with Mr. Stephens that people shouldn't be "overly" alarmed, but people should demand change. As long as the disclosure of information (in this case primarily Social Security numbers) has the potential to cause a person harm, it must be protected. In my opinion, the information highlighted in this story is not protected.
“When you have these documents in a governmental repository and it does require the affirmative step of an individual coming in there looking up the records and then copying down the information or making a copy of the record, that serves somewhat as a deterrent", Stephens says.
[Evan] A deterrent, maybe, but certainly not a great deterrent. A person can spend a day and potentially access thousands of sensitive records. If each record fetches a couple of bucks (selling to bad guys), then it could be a significant pay day. Would any law be broken by the person who collected it and sold it if the information was "publicly" available?
Commentary:
There are laws and regulations that govern some of the ways that organizations must protect sensitive information. Many of these laws and regulations were put in place to force organizations to do the "right thing". If organizations had been doing the "right thing" all along, there probably wouldn't be a need for the laws and regulations. How can we expect organizations to comply with the "right thing", when the government does not? What makes this worse is that fact that only one of the counties in the posting even has a plan to correct the issue.
Frustrating.
Past Breaches:
Milwaukee County:
February, 2008 - Sensitive Milwaukee County information posted to Web
Date Reported:August, 2008
Organization:
Monroe County (NY)
Collier County (FL)
Milwaukee County (WI)
and others…
Contractor/Consultant/Branch:
None
Victims:
Residents
Number Affected:
Unknown
Types of Data:
Names, addresses, dates of birth, Social Security numbers, and other personal information
Breach Description:
In the past two weeks it has been reported that Monroe County, New York, Collier County, Florida, and Milwaukee County, Wisconsin all make sensitive personal information available to anyone willing to take the time and effort to access it. The Monroe County Clerk web site reportedly makes U.S. Bankruptcy Court documents available online that are not redacted, the Collier County Clerk of Courts makes court documents displaying personal information available as a matter of public record, and a news reporter in Milwaukee demonstrates how he was able to access "thousands" of sensitive personal records from public access systems.
Reference URL:
Monroe County - WHAM Channel 13 News
Collier County - WINK News
Milwaukee County - WUWM News
Report Credit:
Various
Response:
From the online sources cited above:
Monroe County:
(Rochester, N.Y.) - The Democratic candidate running for Monroe County Clerk said old records on the clerk's new Web site contain Social Security numbers that should not be there.
[Evan] The Monroe County report really has seems to have a political motive behind the disclosure. Just in case anyone was curious, I don't think information security has anything to do with your political affiliation.
County Clerk Cheryl DiNolfo said her staff is working to redact, or remove, Social Security numbers from the isolated documents that contain them online.
She said her opponent, Tom Hasman, is doing more harm than good by pointing this out, and could have just called her if he found someone's Social Security number on her Web site.
[Evan] There may be some truth to this. Most of us give the organization responsible a chance to clean up and contain prior to public disclosure. If protection of the victims were the motive, then the disclosure might have been handled a little differently. I am sure Mr. Hasman wants to score a win on this point, so he has incentive to get word out.
For the past two-and-a-half years, signs have warned county clerk customers not to file documents with Social Security numbers.
However, after a Web site upgrade this summer, users can now access millions of pages of older documents.
Hasman is calling for DiNolfo to take down the site.
[Evan] If sensitive information is still available, then this seems like a reasonable request.
"There is no higher responsibility of the county clerk than to keep our records safe. With this serious error occurring on her watch, Clerk DiNolfo has proven to us that she is not only irresponsible but she is not qualified to safeguard our records," he said
Though it’s true that DiNolfo's staff is looking to individually redact Social Security numbers from older documents, with 15-million pages to sift through, there's no guarantee when that will be completed.
[Evan] This is one of the problems in trying to secure something that was not built with security in mind.
Only certain documents appear to be at risk, such as foreclosures or bankruptcy filings dating back to 2000 through 2003.
If hackers can locate these documents, the risk of ID theft is real.
[Evan] The word "hackers" sounds so much more impressive doesn't it? It doesn't take much hacking to get at sensitive information that is readily available.
Anyone can also get a hard copy of these papers by showing up in person.
Hasman, who works in computer security, says pulling down the site is the responsible thing to do.
[Evan] "Tom currently works from home as a Senior Information Security Analyst in Rochester, NY for SRA International of Arlington, VA. As a Senior Information Security Analyst, Tom assists government departments such as Treasury and Homeland Security in protecting their computer systems and vital records from cyber-threats." (Source: About Tom Hasman) Maybe Democrats are better at securing information! (Kidding.)
DiNolfo says it's tough to argue, but it's not political when a press conference is pointing people to Social Security numbers.
Collier County:
Court documents containing your social security numbers, bank account numbers, and other personal information are available as public record.
[Evan] Sensitive private information in the public record. Does anyone else see a problem with this statement?
Michael Gooley was arrested last weekend for a traffic violation. We found his personal information at the Collier County Clerk of Courts.
"I didn't know that my social security and pretty much everything else everybody needed to get whatever they wanted from me," Gooley said.
The information was available to view for free or printed copies could be purchased for a dollar a page. One page had enough information to open a credit card online in Gooley's name.
Dwight Brock is the Clerk of Court in Collier County.
"There is a good chance under the law that there are public records available for anybody to come in and get," Brock said.
An attorney we spoke with at the State Attorney's Office says state laws governing the release of personal information have not been challenged or clarified, meaning it's up to each court to establish it's own policy.
[Evan] How does this make sense?
Regardless, the law says that you can ask the court to remove your personal information from the file.
[Evan] Assuming you know how and assuming you know what information that county has collected about you.
"Identify for us what it is you want redacted from it, relative to your social security number or bank account number and at no cost we will redact that information before we ever give that out to the public," Brock said.
[Evan] I was actually surprised to read that there is no cost. It seems plausible that some counties could "justify" charging a fee for this.
According to law, such request must be made in writing by mail, fax, or email, or delivered in person, to the Clerk of Courts recording department.
[Evan] Collier County Clerk of Courts contact information is here.
Milwaukee County:
WUWM News Intern Matt Schultz thought he’d test how easy or difficult it is to access personal information, including in downtown Milwaukee.
[Evan] Gutsy
I started my search on the computer at work.
[Evan] I wouldn't necessarily try this at your work.
It took me only a few hours to find 30 different social security numbers, all of which were assigned to physicians.
One of them, Dr. James Stiehl, lives in Milwaukee, so I gave him a call.
[MATT SCHULTZ] "I do have two different social security numbers for you. One’s corporate and I’m assuming one is your birth one. And the one I have here is XXX-XX-XXXX. That is correct?"
[DR. STIEHL] Yes.
[MATT SCHULTZ] "Do you have any idea on how I would have gotten this information?"
[DR. STIEHL] Nope.
Next, I headed to the Register of Deeds Office at the Milwaukee County Courthouse.
A clerk showed me how to use the free public terminals to search through deeds, mortgages and bankruptcy files, places I thought I might find social security numbers, but didn't find any there.
Larry Eckert is the Deputy Register of Deeds. He says a social security number isn’t on every document.
“The only vital record that has a social security number that the public can see is a death record," says Eckert.
[Evan] Au contraire.
Undaunted I continued my search, and despite Eckert’s assurances, found a wealth of personal information on other documents: people’s signatures, telephone numbers, addresses and social security numbers.
Before lunch I had gained access to thousands of names, social security numbers, addresses and telephone numbers.
[Evan] Thousands before lunch!?
I asked Deputy Register of Deeds Eckert if there’s a way to remove personal information from the public records so it can’t be stolen and abused.
“I have no idea if there’s a way to change them," Eckert says.
A state government employee says there is a way to purge some personal information. David Tatar manages Wisconsin’s Office of Privacy Protection.
“Most agencies including our own will redact any personal identifiable information to protect the public and we certainly do that on a routine basis. So when it comes to public records, that does not mean that anyone can request that personal information and get it", Tatar says.
Despite the availability of personal information in some government data bases, Paul Stephens says people should not be overly alarmed. Stephens works for the Privacy Rights Clearinghouse, a consumer advocacy group based in San Diego.
[Evan] I agree with Mr. Stephens that people shouldn't be "overly" alarmed, but people should demand change. As long as the disclosure of information (in this case primarily Social Security numbers) has the potential to cause a person harm, it must be protected. In my opinion, the information highlighted in this story is not protected.
“When you have these documents in a governmental repository and it does require the affirmative step of an individual coming in there looking up the records and then copying down the information or making a copy of the record, that serves somewhat as a deterrent", Stephens says.
[Evan] A deterrent, maybe, but certainly not a great deterrent. A person can spend a day and potentially access thousands of sensitive records. If each record fetches a couple of bucks (selling to bad guys), then it could be a significant pay day. Would any law be broken by the person who collected it and sold it if the information was "publicly" available?
Commentary:
There are laws and regulations that govern some of the ways that organizations must protect sensitive information. Many of these laws and regulations were put in place to force organizations to do the "right thing". If organizations had been doing the "right thing" all along, there probably wouldn't be a need for the laws and regulations. How can we expect organizations to comply with the "right thing", when the government does not? What makes this worse is that fact that only one of the counties in the posting even has a plan to correct the issue.
Frustrating.
Past Breaches:
Milwaukee County:
February, 2008 - Sensitive Milwaukee County information posted to Web
Posted by Evan Francen at 8/18/2008 11:29 AM 
Categories: Poor Business Practice, Milwaukee County, collier county, Monroe County
Categories: Poor Business Practice, Milwaukee County, collier county, Monroe County
Posts Atom 1.0
Common sense is not too common among the various arms of our various Governments, each of which would want to put us in jail or fine us for doing what they do daily.
Reply to this