Iowa County Recorders Association exposes Iowa property owners
Technorati Tag: Security Breach
Date Reported:
9/2/08
Updated on 9/10/08:
The DesMoines Register reports "Web site with Iowans' ID data shut down"
[Evan] Things can change if enough people demand it!
Organization:
Iowa County Recorders Association, Inc.
Contractor/Consultant/Branch:
None
Victims:
Iowa property owners
Number Affected:
"thousands"
Types of Data:
"home mortgage records" including Social Security numbers*
*"A 2002 Iowa law prohibits the use of Social Security numbers on public records", but some of the information exposed dates back to the 1980s
Breach Description:
"DES MOINES, Iowa - A Web site sponsored by elected officials includes Social Security numbers and other data for thousands of Iowans -- including Gov. Chet Culver."
Reference URL:
The Des Moines Register
Associated Press via The Chicago Tribune
The Virginia Watchdog
Report Credit:
Jason Clayworth, The Des Moines Register
Response:
From the online sources cited above:
Gov. Chet Culver on Tuesday requested the immediate removal of information from a Web site sponsored by Iowa elected officials that includes his Social Security number and those of thousands of other Iowans
However, only the governor's private information and that of Secretary of State Michael Mauro and his wife, Dorothy, was removed from the site, IowaLandRecords.org.
[Evan] This is because the Iowa County Recorders Association will only remove personal information if the person it belongs to requests it, "typically within 24 hours". I don't think there is any favoritism here.
Records containing private information of other Iowans remained publicly accessible on the site, which is sponsored by the Iowa County Recorders Association.
[Evan] How crappy is it when an organization knows that their processes expose sensitive information, and they choose to do nothing about it?
Administrators of IowaLandRecords.org removed the governor's and secretary of state's information from the site after a story was published on DesMoinesRegister.com about concerns the Web site could contribute to identity theft.
"Governor Culver is committed to protecting the privacy of Iowans, which is why he was disturbed to learn that the Social Security numbers of several Iowans, including his own, were available to be viewed by the public on a Web site controlled by the Iowa County Recorders Association," said Troy Price, a spokesman for the governor.
[Evan] Great. The Governor was "disturbed to learn" that thousands of his constituents' personal information is exposed. Mr. Price, the Governor's spokesman states that Mr. Culver is "committed to protecting" his constituents' personal information, but what does he plan to do about this? It is one thing to say he is committed, it is another to demonstrate the commitment through action.
The Web site includes home mortgage records and other documents from each of the state's 99 counties.
It was launched in January 2005 by the recorders association, fed largely by Iowa county recorders.
Some county recorders have uploaded information dating from the 1980s, while others have provided only information from the past decade.
A 2002 Iowa law prohibits the use of Social Security numbers on public records.
[Evan] This seems like a good idea. Kudos to Iowa lawmakers.
But hundreds of thousands of records created prior to that date have, for years, remained open to the public on the Web site.
Officials with the recorders association said individuals can request that their information be removed.
[Evan] Is this a poor and lazy cop out? If the recorders association wanted to do the right thing, they would redact all sensitive information.
West Des Moines resident George Davey asked the Iowa attorney general's office on Tuesday to force the recorders association to pull private records from the Web site.
Attorney general's office spokesman Bob Brammer said the issue was being explored but it was unlikely the attorney general could force the site to shut down.
[Evan] It is not illegal to collect and post Social Security numbers on a public Web site. It is illegal to use them, i.e. to commit identity theft.
Virginia resident Betty Ostergren, who advocates for privacy issues on her Web site, TheVirginiaWatchdog.com - said Social Security numbers should be removed automatically instead of only upon request.
[Evan] A reasonable, yet expensive request.
Ostergren downloaded Culver's Social Security number, as well as that of Mauro and his wife, before they were redacted Tuesday morning.
She threatened to post them on her site unless all records with Social Security numbers are removed or redacted.
[Evan] Ugh. This doesn't make me feel comfortable. I am not a big fan or threats or holding someone else's personal information hostage.
"If they only black out just a few Social Security numbers like these people's, that is wrong and unfair to people who have no clue this is going on," Ostergren said. "They need to protect all or no one's."
Ostergren said her husband was a victim of identity theft several years ago. She advocates for reforms on her Web site: www.opcva.com/watchdog/index.html
Many counties that feed information into the Web site have limited staff members, who lack time to redact Social Security numbers on public documents dated before July 1, 2002, said Joyce Jensen, an IowaLandRecords.org board member and Cass County recorder.
[Evan] Good excuse?
She acknowledged that thousands of Social Security numbers are listed in her association's online records.
While her association has concerns, Jensen pointed out that county recorders and staff for IowaLandRecords.org will redact individual information upon request, typically within 24 hours.
Phil Dunshee, a project manager for the Web site, said the recorders association has already declined to fully post some records because of personal information.
[Evan] What a good Samaritan Mr. Dunshee is.
Tax liens, for example, are not available for downloading because they often include Social Security numbers, he said.
Dunshee said late Tuesday that the recorders' governing board is reviewing Culver's request but that it had not yet agreed to remove the land records from the site.
"Obviously this is a very important source of concern. We take it seriously. That's why we have the policies that we do," Dunshee said.
[Evan] Where is the action? I can only imagine how valuable the policies are. The fact of the matter is that the association knows they have a problem and have decided to do nothing about it, which to me is unacceptable and a poor management decision.
Davey, the West Des Moines resident, also contacted Iowa lawmakers about the issue on Tuesday.
He said he even found an old credit card number on one of his public documents posted on the Web site.
After looking closer at the site, he was able to pull more than 50 Social Security numbers in less than an hour, including Culver's and Mauro's.
"If I can get 50 Social Security numbers in minutes, then just imagine how many a team of skilled hackers could get over a one month-long period," Davey said. "Hackers are not the cause of identity theft, careless government agencies and holders of information, are the cause."
[Evan] There are many causes of identity theft. What baffles me is the fact that so many organizations public and private alike, just don't get it. So much of information security is common sense.
Most states, including Iowa, have stopped including Social Security numbers on public records but have not made their laws retroactive, according to the Property Records Industry Association.
[Evan] Making the laws retroactive would be more effective, but also much more expensive.
In Iowa, records dated after July 1, 2002, should not contain Social Security numbers.
[Evan] Notice the word "should"? "Should" should be "must".
Florida and California have taken steps to completely redact certain personal information from public records.
State Sen. Steve Kettering, a Lake View Republican, worked on a committee that successfully pushed for the notification law. Iowa government should take the same steps and send letters to citizens if their Social Security numbers have been made public, he said.
"I’ve always been a believer that government ought to do what it requires private enterprise to do," Kettering said. "If the state has put people at risk, the state should take that step."
Commentary:
How disturbing. It seems wrong when an organization knows it has a significant exposure and decides to do nothing about it. Iowans need to stand up and demand a change.
Past Breaches:
Unknown
Date Reported:9/2/08
Updated on 9/10/08:
The DesMoines Register reports "Web site with Iowans' ID data shut down"
[Evan] Things can change if enough people demand it!
Organization:
Iowa County Recorders Association, Inc.
Contractor/Consultant/Branch:
None
Victims:
Iowa property owners
Number Affected:
"thousands"
Types of Data:
"home mortgage records" including Social Security numbers*
*"A 2002 Iowa law prohibits the use of Social Security numbers on public records", but some of the information exposed dates back to the 1980s
Breach Description:
"DES MOINES, Iowa - A Web site sponsored by elected officials includes Social Security numbers and other data for thousands of Iowans -- including Gov. Chet Culver."
Reference URL:
The Des Moines Register
Associated Press via The Chicago Tribune
The Virginia Watchdog
Report Credit:
Jason Clayworth, The Des Moines Register
Response:
From the online sources cited above:
Gov. Chet Culver on Tuesday requested the immediate removal of information from a Web site sponsored by Iowa elected officials that includes his Social Security number and those of thousands of other Iowans
However, only the governor's private information and that of Secretary of State Michael Mauro and his wife, Dorothy, was removed from the site, IowaLandRecords.org.
[Evan] This is because the Iowa County Recorders Association will only remove personal information if the person it belongs to requests it, "typically within 24 hours". I don't think there is any favoritism here.
Records containing private information of other Iowans remained publicly accessible on the site, which is sponsored by the Iowa County Recorders Association.
[Evan] How crappy is it when an organization knows that their processes expose sensitive information, and they choose to do nothing about it?
Administrators of IowaLandRecords.org removed the governor's and secretary of state's information from the site after a story was published on DesMoinesRegister.com about concerns the Web site could contribute to identity theft.
"Governor Culver is committed to protecting the privacy of Iowans, which is why he was disturbed to learn that the Social Security numbers of several Iowans, including his own, were available to be viewed by the public on a Web site controlled by the Iowa County Recorders Association," said Troy Price, a spokesman for the governor.
[Evan] Great. The Governor was "disturbed to learn" that thousands of his constituents' personal information is exposed. Mr. Price, the Governor's spokesman states that Mr. Culver is "committed to protecting" his constituents' personal information, but what does he plan to do about this? It is one thing to say he is committed, it is another to demonstrate the commitment through action.
The Web site includes home mortgage records and other documents from each of the state's 99 counties.
It was launched in January 2005 by the recorders association, fed largely by Iowa county recorders.
Some county recorders have uploaded information dating from the 1980s, while others have provided only information from the past decade.
A 2002 Iowa law prohibits the use of Social Security numbers on public records.
[Evan] This seems like a good idea. Kudos to Iowa lawmakers.
But hundreds of thousands of records created prior to that date have, for years, remained open to the public on the Web site.
Officials with the recorders association said individuals can request that their information be removed.
[Evan] Is this a poor and lazy cop out? If the recorders association wanted to do the right thing, they would redact all sensitive information.
West Des Moines resident George Davey asked the Iowa attorney general's office on Tuesday to force the recorders association to pull private records from the Web site.
Attorney general's office spokesman Bob Brammer said the issue was being explored but it was unlikely the attorney general could force the site to shut down.
[Evan] It is not illegal to collect and post Social Security numbers on a public Web site. It is illegal to use them, i.e. to commit identity theft.
Virginia resident Betty Ostergren, who advocates for privacy issues on her Web site, TheVirginiaWatchdog.com - said Social Security numbers should be removed automatically instead of only upon request.
[Evan] A reasonable, yet expensive request.
Ostergren downloaded Culver's Social Security number, as well as that of Mauro and his wife, before they were redacted Tuesday morning.
She threatened to post them on her site unless all records with Social Security numbers are removed or redacted.
[Evan] Ugh. This doesn't make me feel comfortable. I am not a big fan or threats or holding someone else's personal information hostage.
"If they only black out just a few Social Security numbers like these people's, that is wrong and unfair to people who have no clue this is going on," Ostergren said. "They need to protect all or no one's."
Ostergren said her husband was a victim of identity theft several years ago. She advocates for reforms on her Web site: www.opcva.com/watchdog/index.html
Many counties that feed information into the Web site have limited staff members, who lack time to redact Social Security numbers on public documents dated before July 1, 2002, said Joyce Jensen, an IowaLandRecords.org board member and Cass County recorder.
[Evan] Good excuse?
She acknowledged that thousands of Social Security numbers are listed in her association's online records.
While her association has concerns, Jensen pointed out that county recorders and staff for IowaLandRecords.org will redact individual information upon request, typically within 24 hours.
Phil Dunshee, a project manager for the Web site, said the recorders association has already declined to fully post some records because of personal information.
[Evan] What a good Samaritan Mr. Dunshee is.
Tax liens, for example, are not available for downloading because they often include Social Security numbers, he said.
Dunshee said late Tuesday that the recorders' governing board is reviewing Culver's request but that it had not yet agreed to remove the land records from the site.
"Obviously this is a very important source of concern. We take it seriously. That's why we have the policies that we do," Dunshee said.
[Evan] Where is the action? I can only imagine how valuable the policies are. The fact of the matter is that the association knows they have a problem and have decided to do nothing about it, which to me is unacceptable and a poor management decision.
Davey, the West Des Moines resident, also contacted Iowa lawmakers about the issue on Tuesday.
He said he even found an old credit card number on one of his public documents posted on the Web site.
After looking closer at the site, he was able to pull more than 50 Social Security numbers in less than an hour, including Culver's and Mauro's.
"If I can get 50 Social Security numbers in minutes, then just imagine how many a team of skilled hackers could get over a one month-long period," Davey said. "Hackers are not the cause of identity theft, careless government agencies and holders of information, are the cause."
[Evan] There are many causes of identity theft. What baffles me is the fact that so many organizations public and private alike, just don't get it. So much of information security is common sense.
Most states, including Iowa, have stopped including Social Security numbers on public records but have not made their laws retroactive, according to the Property Records Industry Association.
[Evan] Making the laws retroactive would be more effective, but also much more expensive.
In Iowa, records dated after July 1, 2002, should not contain Social Security numbers.
[Evan] Notice the word "should"? "Should" should be "must".
Florida and California have taken steps to completely redact certain personal information from public records.
State Sen. Steve Kettering, a Lake View Republican, worked on a committee that successfully pushed for the notification law. Iowa government should take the same steps and send letters to citizens if their Social Security numbers have been made public, he said.
"I’ve always been a believer that government ought to do what it requires private enterprise to do," Kettering said. "If the state has put people at risk, the state should take that step."
Commentary:
How disturbing. It seems wrong when an organization knows it has a significant exposure and decides to do nothing about it. Iowans need to stand up and demand a change.
Past Breaches:
Unknown
Posted by Evan Francen at 9/3/2008 9:59 PM 
Categories: Poor Business Practice, Iowa County Recorders Association
Categories: Poor Business Practice, Iowa County Recorders Association
Posts Atom 1.0
Comments