City of Coral Springs account compromise exposes sensitive information
Technorati Tag: Security Breach
Date Reported:
9/25/08
Organization:
City of Coral Springs (FL)
Contractor/Consultant/Branch:
"a data services provider"
Location:
Coral Springs, Florida
Victims:
Consumers
Number Affected:
Unknown*
*The letter to the New Hampshire Attorney General mentions 57 New Hampshire residents
Types of Data:
"name, address, date of birth, driver's license number, and Social Security number"
Breach Description:
The "City of Coral Springs, Florida contracts with a data services provider in order to provide it with access to personally identifiable information of consumers for legally permissible purposes, such as law enforcement and provision of other essential government services." "The City of Coral Springs discovered one of its identification numbers and passwords to access the database of the data services provider had been compromised."
Reference URL:
The New Hampshire State Attorney General breach notification
Report Credit:
The New Hampshire State Attorney General
Response:
From the online source cited above:
Please be advised that the City of Coral Springs, Florida contracts with a data services provider in order to provide it with access to personally identifiable information of consumers for legally permissible purposes, such as law enforcement and provision of other essential government services.
[Evan] There is no mention as to the identity of the "data services provider".
Upon discovery of unusual account activity on its account, the City of Coral Springs contacted the data services provider and law enforcement.
The City of Coral Springs discovered one of its identification numbers and passwords to access the database of the data services provider had been compromised.
[Evan] Without knowing any details, I presume that there is a message that displays the last time the user has logged in to the user who just logged in. Does that make sense? The last logged in message is often times a good security practice because it is an easy tip off indicating possible credential compromise.
Use of the identification and password at issue were immediately terminated.
name, address, date of birth, driver's license number, and Social Security number may have been viewed.
There are no facts at this time to suggest that consumer information was used inappropriately.
Nevertheless, in an abundance of caution, please be aware that such viewing of your information may have occurred.
[Evan] Ugh! There is the "abundance of caution" phrase again. Do people believe that the city is practicing an "abundance of caution" in notifying people of a possible breach involving their personal information? Some people might just call it common (sense) courtesy. I have stated this many times, but the information belongs to the people (NOT the city).
notice will be sent to potentially affected consumers nationwide by U.S mail on or about September 25, 2008.
this matter is currently under investigation by law enforcement
You may contact our consumer hotline toll-free at between the hours of 8 a.m. - 7p.m. EST, Monday through Friday to help answer any questions you may have about what occurred, what assistance is available to you, and what steps you can take on your own.
Commentary:
The cause of this incident was a failure (or compromise) in identification ("identification numbers") and authentication (password). The city states that "one of its identification numbers and passwords" was compromised and subsequently used to access the account which could have provided access to sensitive information.
I am still left with some questions, namely:
We can assume that the "data services provider" is in the business of collecting sensitive information and selling access to such information. Based on the information contained in the breach notification, it appears as though the data services provider secures access to accounts granted access to sensitive information based upon a simple username/password authentication scheme, which is one of the weakest methods available (short of open access). An organization whose business is based upon collecting and selling access to sensitive information should know better. Why isn't stronger authentication used, such as that gained by two-factor authentication? For people that don't know, two-factor authentication can be any combination of two authenticators; something you know (i.e. a password or pass-phrase), something you have (i.e. a token) and something you are (i.e. fingerprint)? It may be tough to implement the "something you are" authenticator, but the other two are used online by many organizations.
This could be a bigger issue than just the City of Coral Springs.
Past Breaches:
Unknown
Date Reported:9/25/08
Organization:
City of Coral Springs (FL)
Contractor/Consultant/Branch:
"a data services provider"
Location:
Coral Springs, Florida
Victims:
Consumers
Number Affected:
Unknown*
*The letter to the New Hampshire Attorney General mentions 57 New Hampshire residents
Types of Data:
"name, address, date of birth, driver's license number, and Social Security number"
Breach Description:
The "City of Coral Springs, Florida contracts with a data services provider in order to provide it with access to personally identifiable information of consumers for legally permissible purposes, such as law enforcement and provision of other essential government services." "The City of Coral Springs discovered one of its identification numbers and passwords to access the database of the data services provider had been compromised."
Reference URL:
The New Hampshire State Attorney General breach notification
Report Credit:
The New Hampshire State Attorney General
Response:
From the online source cited above:
Please be advised that the City of Coral Springs, Florida contracts with a data services provider in order to provide it with access to personally identifiable information of consumers for legally permissible purposes, such as law enforcement and provision of other essential government services.
[Evan] There is no mention as to the identity of the "data services provider".
Upon discovery of unusual account activity on its account, the City of Coral Springs contacted the data services provider and law enforcement.
The City of Coral Springs discovered one of its identification numbers and passwords to access the database of the data services provider had been compromised.
[Evan] Without knowing any details, I presume that there is a message that displays the last time the user has logged in to the user who just logged in. Does that make sense? The last logged in message is often times a good security practice because it is an easy tip off indicating possible credential compromise.
Use of the identification and password at issue were immediately terminated.
name, address, date of birth, driver's license number, and Social Security number may have been viewed.
There are no facts at this time to suggest that consumer information was used inappropriately.
Nevertheless, in an abundance of caution, please be aware that such viewing of your information may have occurred.
[Evan] Ugh! There is the "abundance of caution" phrase again. Do people believe that the city is practicing an "abundance of caution" in notifying people of a possible breach involving their personal information? Some people might just call it common (sense) courtesy. I have stated this many times, but the information belongs to the people (NOT the city).
notice will be sent to potentially affected consumers nationwide by U.S mail on or about September 25, 2008.
this matter is currently under investigation by law enforcement
You may contact our consumer hotline toll-free at between the hours of 8 a.m. - 7p.m. EST, Monday through Friday to help answer any questions you may have about what occurred, what assistance is available to you, and what steps you can take on your own.
Commentary:
The cause of this incident was a failure (or compromise) in identification ("identification numbers") and authentication (password). The city states that "one of its identification numbers and passwords" was compromised and subsequently used to access the account which could have provided access to sensitive information.
I am still left with some questions, namely:
Can we assume that each authorized employee of the city has his/her own account, or does the city use shared accounts?
How was the account information compromised?
We can assume that the "data services provider" is in the business of collecting sensitive information and selling access to such information. Based on the information contained in the breach notification, it appears as though the data services provider secures access to accounts granted access to sensitive information based upon a simple username/password authentication scheme, which is one of the weakest methods available (short of open access). An organization whose business is based upon collecting and selling access to sensitive information should know better. Why isn't stronger authentication used, such as that gained by two-factor authentication? For people that don't know, two-factor authentication can be any combination of two authenticators; something you know (i.e. a password or pass-phrase), something you have (i.e. a token) and something you are (i.e. fingerprint)? It may be tough to implement the "something you are" authenticator, but the other two are used online by many organizations.
This could be a bigger issue than just the City of Coral Springs.
Past Breaches:
Unknown
Posted by Evan Francen at 10/9/2008 9:47 AM 
Categories: Poor Business Practice, City of Coral Springs (FL)
Categories: Poor Business Practice, City of Coral Springs (FL)
Posts Atom 1.0
I recieved this letter in the mail, my husband recieved one, and one was sent to my parents' home addressed with my maiden name. We have never been to Coral Springs, we all live in Ohio - I am so annoyed by how vague this letter is! Is it some kind of scam? Is it from some kind of company? Like a credit card or online store or something? I wish the information would be more specific - like how the city of Coral Springs got our information to begin with, what were they doing with it? Very obnoxious.
Reply to this