Louisiana Real Estate Commission mistake exposes realtor information
Technorati Tag: Security Breach
Date Reported:
8/28/08
Organization:
State of Louisiana
Contractor/Consultant/Branch:
Louisiana Real Estate Commission
Victims:
Licensed real estate agents
Number Affected:
"more than 13,000"
Types of Data:
"names, addresses and Social Security numbers"
Breach Description:
"BATON ROUGE -- A glitch during a computer upgrade at the Louisiana Real Estate Commission caused the names, addresses and Social Security numbers of more than 13,000 licensed agents to be exposed on the Internet last week, sending waves of concern through the real estate community statewide."
Reference URL:
The Times-Picayune
Report Credit:
Robert Travis Scott, The Times-Picayune
Response:
From the online source cited above:
BATON ROUGE -- A glitch during a computer upgrade at the Louisiana Real Estate Commission caused the names, addresses and Social Security numbers of more than 13,000 licensed agents to be exposed on the Internet last week, sending waves of concern through the real estate community statewide.
The commission, which is a state regulatory agency that oversees the licensing of all real estate agents and brokers, discovered the problem Friday after the confidential information had been accessible on the Internet for about two days, Executive Director J.C. Willie said.
"Are we concerned? I guess we got to be," said Mark Rodi, president of Louisiana Realtors, a private industry group. "But you can't get upset about what you can't control."
[Evan] I would be concerned and I would be upset. There are things that I can do as the owner of my information. I can push for change.
The commission has no way of knowing how many people might have accessed the file online
[Evan] Other than the compromise of confidentiality itself, this statement gives us some additional insight into how "secure" the information was. If the commission has "no way of knowing" who may have accessed the file, we can assume that there was insufficient logging. Logging access and attempted access to sensitive information is critical, especially on web servers.
Commission staff are preparing to send a letter to all the agents on the list informing them of the mishap and suggesting steps they should take to protect themselves from potential identity fraud.
[Evan] Now wouldn't it have been easier and less expensive to seek guidance from a trusted and experienced information security consultant?
the commission was transferring its online programs to a new server when the sensitive electronic file, which is not normally posted on the Internet, was left unsecured and slipped in among the commission materials that could be seen online.
[Evan] This is why we advocate change management with information security involvement.
The file was a large but incomplete list of licensed Louisiana real estate agents and brokers that was retained by the commission for its reports to a special insurance carrier that provides liability coverage for agents statewide.
The insurer in years past had required that all the agents be identified by their Social Security numbers.
That form of agent ID is no longer used by the commission or the insurance carrier.
But the commission had kept the old list with the Social Security numbers in its computer files
[Evan] Why? If the archival of sensitive information is no longer required by the business or by law, then destroy it!
An agent who discovered the list online contacted the commission Friday and the problem was corrected.
"It was an unfortunate occurrence, but it was handled immediately upon discovery," said Commission Chairwoman Gretchen Ezernack, a Monroe Realtor.
[Evan] There is a (good) chance that information security problems at the commission are larger than this one occurrence.
The commission contacted the Internet search engine companies Google and Yahoo to ensure that the pages were not being retained by their systems
it would be hard to pinpoint exactly who left the file exposed and that he expected there would be no consequences for whoever might be to blame
[Evan] There might not be consequences for the person to blame, but there are consequences nonetheless. An organization can't hold someone rightfully accountable if there is no policy or direction on how to handle sensitive information.
Rodi and Louisiana Realtors Chief Executive Malcolm Young said they were satisfied that the commission was doing all it could to address the problem.
As of Wednesday, the commission was preparing a report to the attorney general as well as the mass mailing to the agents on the list.
Commentary:
Obviously this compromise was the result of a mistake, but there are plenty of things we can do as information security professionals to minimize the frequency and impact of such mistakes.
Past Breaches:
October, 2007 - Iron Mountain loses LOSFA backup case
Date Reported:8/28/08
Organization:
State of Louisiana
Contractor/Consultant/Branch:
Louisiana Real Estate Commission
Victims:
Licensed real estate agents
Number Affected:
"more than 13,000"
Types of Data:
"names, addresses and Social Security numbers"
Breach Description:
"BATON ROUGE -- A glitch during a computer upgrade at the Louisiana Real Estate Commission caused the names, addresses and Social Security numbers of more than 13,000 licensed agents to be exposed on the Internet last week, sending waves of concern through the real estate community statewide."
Reference URL:
The Times-Picayune
Report Credit:
Robert Travis Scott, The Times-Picayune
Response:
From the online source cited above:
BATON ROUGE -- A glitch during a computer upgrade at the Louisiana Real Estate Commission caused the names, addresses and Social Security numbers of more than 13,000 licensed agents to be exposed on the Internet last week, sending waves of concern through the real estate community statewide.
The commission, which is a state regulatory agency that oversees the licensing of all real estate agents and brokers, discovered the problem Friday after the confidential information had been accessible on the Internet for about two days, Executive Director J.C. Willie said.
"Are we concerned? I guess we got to be," said Mark Rodi, president of Louisiana Realtors, a private industry group. "But you can't get upset about what you can't control."
[Evan] I would be concerned and I would be upset. There are things that I can do as the owner of my information. I can push for change.
The commission has no way of knowing how many people might have accessed the file online
[Evan] Other than the compromise of confidentiality itself, this statement gives us some additional insight into how "secure" the information was. If the commission has "no way of knowing" who may have accessed the file, we can assume that there was insufficient logging. Logging access and attempted access to sensitive information is critical, especially on web servers.
Commission staff are preparing to send a letter to all the agents on the list informing them of the mishap and suggesting steps they should take to protect themselves from potential identity fraud.
[Evan] Now wouldn't it have been easier and less expensive to seek guidance from a trusted and experienced information security consultant?
the commission was transferring its online programs to a new server when the sensitive electronic file, which is not normally posted on the Internet, was left unsecured and slipped in among the commission materials that could be seen online.
[Evan] This is why we advocate change management with information security involvement.
The file was a large but incomplete list of licensed Louisiana real estate agents and brokers that was retained by the commission for its reports to a special insurance carrier that provides liability coverage for agents statewide.
The insurer in years past had required that all the agents be identified by their Social Security numbers.
That form of agent ID is no longer used by the commission or the insurance carrier.
But the commission had kept the old list with the Social Security numbers in its computer files
[Evan] Why? If the archival of sensitive information is no longer required by the business or by law, then destroy it!
An agent who discovered the list online contacted the commission Friday and the problem was corrected.
"It was an unfortunate occurrence, but it was handled immediately upon discovery," said Commission Chairwoman Gretchen Ezernack, a Monroe Realtor.
[Evan] There is a (good) chance that information security problems at the commission are larger than this one occurrence.
The commission contacted the Internet search engine companies Google and Yahoo to ensure that the pages were not being retained by their systems
it would be hard to pinpoint exactly who left the file exposed and that he expected there would be no consequences for whoever might be to blame
[Evan] There might not be consequences for the person to blame, but there are consequences nonetheless. An organization can't hold someone rightfully accountable if there is no policy or direction on how to handle sensitive information.
Rodi and Louisiana Realtors Chief Executive Malcolm Young said they were satisfied that the commission was doing all it could to address the problem.
As of Wednesday, the commission was preparing a report to the attorney general as well as the mass mailing to the agents on the list.
Commentary:
Obviously this compromise was the result of a mistake, but there are plenty of things we can do as information security professionals to minimize the frequency and impact of such mistakes.
Past Breaches:
October, 2007 - Iron Mountain loses LOSFA backup case
Posts Atom 1.0
Comments