Sensitive records publicly available, this time Johnston County
Technorati Tag: Security Breach
Date Reported:
10/20/08
Organization:
Johnston County (NC)
Contractor/Consultant/Branch:
Register of Deeds
Location:
Smithfield, North Carolina
Victims:
Residents with registered deeds
Number Affected:
"As many as 22,000 online records"
Types of Data:
Names, addresses, Social Security numbers and other sensitive information
Breach Description:
A resident has discovered that her personal information, including Social Security number is readily available to the public through the Johnston County, North Carolina Register of Deeds web site. The information is also available to anyone that asks for it. According to the Johnston County Register of Deeds, this is a statewide problem.
Reference URL:
WRAL.com
Report Credit:
Kelcey Carlson, WRAL.com
Response:
From the online source cited above:
The surprise that Donna Eason says she found online was not a good one.
While doing research on the Johnston County Register of Deeds' Web site over the weekend, Eason saw her and her husband's Social Security number on housing documents posted to the site.
"I was furious," she said. "Because everything is on the Web now."
[Evan] This is good. It's not good that sensitive information is publicly available, but it is good that Mrs. Eason is furious. People who are furious might be more apt to spur or demand change.
The office removed the information almost immediately at Eason's request, but the problem is statewide and leaves registrars of deeds, like Craig Olive, frustrated.
[Evan] Statewide and from what we have read in the past, likely nationwide.
As many as 22,000 online records in the office contain that same information. And many people have no idea.
[Evan] This is very important to note. The "people have no idea". This is one primary motivation for writing and posting on The Breach Blog. People who are interested should know. They are the information owners.
"The law is not tough enough to help protect the citizens I serve," said Olive, who heads the Register of Deeds office in Johnston County.
[Evan] Unfortunately many of our laws are written by idiots. The idiots we elect. This comment is not "politically correct", but I think we should call a dog a dog irregardless.
The state's Identity Theft Protection Act, passed in 2005, only allows a register of deeds to remove a Social Security or bank account number at a citizen's request.
It also prevents new documents from being filed with personal numbers.
that means little for people with old documents that date back decades
Anyone can still go to the register of deeds office and find that personal information on public computer terminals and the paper copies.
[Evan] I would assume that there are people who do this. A person could go to the county records offices and gather information that could be pretty damaging. Why go though the work of "hacking" and phishing, when you can just drive down to the county seat?
"Anybody can come in," Oliver said. "It's open public records law, and they can get them a Social Security Number."
Each year, Olive says, he sends a letter to Johnston County's state lawmakers saying consumers are at risk and that software can remove all personal information at once.
"They're just making it easier for thieves," Eason said.
But the issue of redacting personal information from old documents is complicated, says Jeff Gray, a legislative lobbyist on law enforcement issues who also served as an assistant attorney general when Gov. Mike Easley was attorney general.
[Evan] I don't think "complicated" should be used as a valid excuse.
"Essentially, you're changing a legal document," Gray said. And that's not something that should be done without careful thought."
Under law, citizens have the right to ask the Register of Deeds or Clerk of Courts for their Social Security Number be removed from online postings, Noelle Talley, a spokeswoman for the North Carolina Attorney General's Office, said.
The Registers of Deeds pushed for the provision because, at the time, Talley said, because they did not have the resources to remove the information from older documents.
[Evan] I don't think lack of resources is a valid excuse either.
"We're glad to hear that (Olive) would now support a law that would require Social Security numbers to be removed," Talley said.
[Evan] Does it matter what Olive supports? It's good to know I suppose, but shouldn't we do that which is right and what the constituents support?
In the meantime, Olive says he plans to notify residents who have personal information online.
[Evan] Prominently displayed on the Register of Deed web site is a link to "How to get your sensitive information removed from our website".
Anyone can look up their records by going to the Register of Deeds Web site in their county.
Commentary:
Counties across the county know that they provide sensitive personal information to the general public. Unfortunately Johnston County is nowhere near being alone in this issue. As long as Social Security numbers are used as identification and authentication, and as long as people continue to not practice good information security practices, and as long as people remain indifferent, we will continue to read about stories just like this one.
On a side note, I wanted to know more about the software counties use on their records related web sites. I noticed that Johnston County Register of Deeds uses a product name OnCore®, from Aptitude Solutions, which is a Division of Fidelity National Information Services.According the OnCore® brochure, the software is used by "more than 3,100 county governments across the nation". That's a lot of counties. (Corrected 11/19/08)
Past Breaches:
Unknown
Date Reported:10/20/08
Organization:
Johnston County (NC)
Contractor/Consultant/Branch:
Register of Deeds
Location:
Smithfield, North Carolina
Victims:
Residents with registered deeds
Number Affected:
"As many as 22,000 online records"
Types of Data:
Names, addresses, Social Security numbers and other sensitive information
Breach Description:
A resident has discovered that her personal information, including Social Security number is readily available to the public through the Johnston County, North Carolina Register of Deeds web site. The information is also available to anyone that asks for it. According to the Johnston County Register of Deeds, this is a statewide problem.
Reference URL:
WRAL.com
Report Credit:
Kelcey Carlson, WRAL.com
Response:
From the online source cited above:
The surprise that Donna Eason says she found online was not a good one.
While doing research on the Johnston County Register of Deeds' Web site over the weekend, Eason saw her and her husband's Social Security number on housing documents posted to the site.
"I was furious," she said. "Because everything is on the Web now."
[Evan] This is good. It's not good that sensitive information is publicly available, but it is good that Mrs. Eason is furious. People who are furious might be more apt to spur or demand change.
The office removed the information almost immediately at Eason's request, but the problem is statewide and leaves registrars of deeds, like Craig Olive, frustrated.
[Evan] Statewide and from what we have read in the past, likely nationwide.
As many as 22,000 online records in the office contain that same information. And many people have no idea.
[Evan] This is very important to note. The "people have no idea". This is one primary motivation for writing and posting on The Breach Blog. People who are interested should know. They are the information owners.
"The law is not tough enough to help protect the citizens I serve," said Olive, who heads the Register of Deeds office in Johnston County.
[Evan] Unfortunately many of our laws are written by idiots. The idiots we elect. This comment is not "politically correct", but I think we should call a dog a dog irregardless.
The state's Identity Theft Protection Act, passed in 2005, only allows a register of deeds to remove a Social Security or bank account number at a citizen's request.
It also prevents new documents from being filed with personal numbers.
that means little for people with old documents that date back decades
Anyone can still go to the register of deeds office and find that personal information on public computer terminals and the paper copies.
[Evan] I would assume that there are people who do this. A person could go to the county records offices and gather information that could be pretty damaging. Why go though the work of "hacking" and phishing, when you can just drive down to the county seat?
"Anybody can come in," Oliver said. "It's open public records law, and they can get them a Social Security Number."
Each year, Olive says, he sends a letter to Johnston County's state lawmakers saying consumers are at risk and that software can remove all personal information at once.
"They're just making it easier for thieves," Eason said.
But the issue of redacting personal information from old documents is complicated, says Jeff Gray, a legislative lobbyist on law enforcement issues who also served as an assistant attorney general when Gov. Mike Easley was attorney general.
[Evan] I don't think "complicated" should be used as a valid excuse.
"Essentially, you're changing a legal document," Gray said. And that's not something that should be done without careful thought."
Under law, citizens have the right to ask the Register of Deeds or Clerk of Courts for their Social Security Number be removed from online postings, Noelle Talley, a spokeswoman for the North Carolina Attorney General's Office, said.
The Registers of Deeds pushed for the provision because, at the time, Talley said, because they did not have the resources to remove the information from older documents.
[Evan] I don't think lack of resources is a valid excuse either.
"We're glad to hear that (Olive) would now support a law that would require Social Security numbers to be removed," Talley said.
[Evan] Does it matter what Olive supports? It's good to know I suppose, but shouldn't we do that which is right and what the constituents support?
In the meantime, Olive says he plans to notify residents who have personal information online.
[Evan] Prominently displayed on the Register of Deed web site is a link to "How to get your sensitive information removed from our website".
Anyone can look up their records by going to the Register of Deeds Web site in their county.
Commentary:
Counties across the county know that they provide sensitive personal information to the general public. Unfortunately Johnston County is nowhere near being alone in this issue. As long as Social Security numbers are used as identification and authentication, and as long as people continue to not practice good information security practices, and as long as people remain indifferent, we will continue to read about stories just like this one.
On a side note, I wanted to know more about the software counties use on their records related web sites. I noticed that Johnston County Register of Deeds uses a product name OnCore®, from Aptitude Solutions, which is a Division of Fidelity National Information Services.
Past Breaches:
Unknown
Posted by Evan Francen at 10/23/2008 9:42 AM 
Categories: Poor Business Practice, Johnston County (NC)
Categories: Poor Business Practice, Johnston County (NC)
Posts Atom 1.0
I have to correct you sir. You stated that OnCore is used by over 3,100 counties. Wrong. That would mean they would service every single County and City government across the country. Read a little closer next time and think about what you spew.
Reply to this
Vader, I stand corrected. There are 3,141 counties and county equivalents according to the USGS. I don't know how many cities there are. I misread the OnCore brochure and upon a deeper look, we don't know how many OnCore customers there are.
"Read a little closer next time and think about what you spew."
I will read a little closer next time. I am a product of our public school system, so please cut me some slack. Funny.
Reply to this
The fact is, Craig Olive knows about this and should remove the info immediately. The information could be redacted without changing the original document. Until he does, it shouldn't be on the web.
Reply to this
I agree with you Sam. Are you a local? If so, what options can you think of using to drive for a change? Unfortunately, many people don't change unless they have to. Especially if there is effort involved.
Reply to this