More than 3000 affected by Indy.gov 11 day exposure
Technorati Tag: Security Breach
Date Reported:
10/15/08
Organization:
City of Indianapolis and Marion County, Indiana
Contractor/Consultant/Branch:
None
Location:
Indianapolis, Indiana
Victims:
"people charged with minor offenses during 2006 and 2007"
Number Affected:
"more than 3,000"
Types of Data:
"names, dates of birth and Social Security numbers"
Breach Description:
"INDIANAPOLIS -- The personal information of more than 3,000 people was posted on a government Web site for more than a week, city-county officials said Wednesday."
Reference URL:
Indianapolis Channel 6 News
The Indianapolis Star
Report Credit:
Indianapolis Channel 6 News
Response:
From the online sources cited above:
The personal information of about 3,300 people charged with minor drug and alcohol offenses was accidentally posted on the city of Indianapolis' new Web site for 11 days in late September and early this month, officials said Wednesday.
inadvertently posted on the indygov.org Web site on Sept. 29 during a site upgrade
[Evan] This is a good reason why we use change control and a good reason why an integral part of change control is information security involvement. On the surface, a web site upgrade may seem innocent enough, but the risk can be enormous. Everything accessible (on purpose or on accident) on or through a web site is public. Be very careful that ONLY public information is accessible and test the dickens out of it.
The mistake wasn't discovered until Oct. 9, when the file was immediately removed
[Evan] It is not clear how the file was discovered or by whom
the Information Services Agency was alerted to the mistake.
As an added precaution, the entire site was removed from the Internet and replaced with its old version.
[Evan] Upgrade, expose sensitive information, and then downgrade back to square one. Probably a good move in response to a poorly managed (at least security-wise) project.
"This is an unfortunate example of human error; however, once we discovered that personal information was posted, ISA took aggressive action to correct the problem, to notify the affected individuals and to prevent this type of disclosure from happening again," said Kevin Ortell, interim chief information officer for ISA.
[Evan] I think this is bigger than a simple "human error". I'm guessing its more like business process error that left the door open to human error.
The agency began mailing letters to those affected this week
A hot line was also established at to provide more information.
"This problem won't go away overnight," said Indiana Attorney General Steve Carter. "Once that information has been made available, we don't know who has it."
[Evan] Mr. Carter is correct. How do you make compromised information confidential again? You can't. Is this information compromised? Without a thorough investigation, we don't know.
City-County Councilwoman Angela Mansfield, who had criticized the upgrade of the Web site as a waste of taxpayer money, said the latest problem is disturbing.
"If you're going to change it, you should make it better, not create a situation where information is revealed that could be used for identity theft," she said.
Commentary:
Information security is a business issue. Organizations that understand this are much better at integrating information security into the fabric of what they do. Information security should be included in all development and upgrade projects as early on in the process as possible. Making changes to systems without proper testing for both usability and security is risky.
Past Breaches:
Unknown
Date Reported:10/15/08
Organization:
City of Indianapolis and Marion County, Indiana
Contractor/Consultant/Branch:
None
Location:
Indianapolis, Indiana
Victims:
"people charged with minor offenses during 2006 and 2007"
Number Affected:
"more than 3,000"
Types of Data:
"names, dates of birth and Social Security numbers"
Breach Description:
"INDIANAPOLIS -- The personal information of more than 3,000 people was posted on a government Web site for more than a week, city-county officials said Wednesday."
Reference URL:
Indianapolis Channel 6 News
The Indianapolis Star
Report Credit:
Indianapolis Channel 6 News
Response:
From the online sources cited above:
The personal information of about 3,300 people charged with minor drug and alcohol offenses was accidentally posted on the city of Indianapolis' new Web site for 11 days in late September and early this month, officials said Wednesday.
inadvertently posted on the indygov.org Web site on Sept. 29 during a site upgrade
[Evan] This is a good reason why we use change control and a good reason why an integral part of change control is information security involvement. On the surface, a web site upgrade may seem innocent enough, but the risk can be enormous. Everything accessible (on purpose or on accident) on or through a web site is public. Be very careful that ONLY public information is accessible and test the dickens out of it.
The mistake wasn't discovered until Oct. 9, when the file was immediately removed
[Evan] It is not clear how the file was discovered or by whom
the Information Services Agency was alerted to the mistake.
As an added precaution, the entire site was removed from the Internet and replaced with its old version.
[Evan] Upgrade, expose sensitive information, and then downgrade back to square one. Probably a good move in response to a poorly managed (at least security-wise) project.
"This is an unfortunate example of human error; however, once we discovered that personal information was posted, ISA took aggressive action to correct the problem, to notify the affected individuals and to prevent this type of disclosure from happening again," said Kevin Ortell, interim chief information officer for ISA.
[Evan] I think this is bigger than a simple "human error". I'm guessing its more like business process error that left the door open to human error.
The agency began mailing letters to those affected this week
A hot line was also established at to provide more information.
"This problem won't go away overnight," said Indiana Attorney General Steve Carter. "Once that information has been made available, we don't know who has it."
[Evan] Mr. Carter is correct. How do you make compromised information confidential again? You can't. Is this information compromised? Without a thorough investigation, we don't know.
City-County Councilwoman Angela Mansfield, who had criticized the upgrade of the Web site as a waste of taxpayer money, said the latest problem is disturbing.
"If you're going to change it, you should make it better, not create a situation where information is revealed that could be used for identity theft," she said.
Commentary:
Information security is a business issue. Organizations that understand this are much better at integrating information security into the fabric of what they do. Information security should be included in all development and upgrade projects as early on in the process as possible. Making changes to systems without proper testing for both usability and security is risky.
Past Breaches:
Unknown
Posted by Evan Francen at 10/17/2008 1:07 PM 
Categories: City of Indianapolis, Employee Mistake, Marion County (IN)
Categories: City of Indianapolis, Employee Mistake, Marion County (IN)
Posts Atom 1.0
Comments