Jefferson County (WV) will redact online personal information after breach
Technorati Tag: Security Breach
Date Reported:
10/29/08
Organization:
Jefferson County (WV)
Contractor/Consultant/Branch:
Jefferson County Clerk
Location:
Charles Town, West Virginia
Victims:
Current and former citizens
Number Affected:
Unknown
Types of Data:
"Social Security numbers, birth dates and other personal information"
Breach Description:
"CHARLES TOWN - Jefferson County Clerk Jennifer Maghan suspended access to a newly created online tool that enables residents to search local documents after she was told that some of the documents included individuals' Social Security numbers and other personal information."
Reference URL:
NBC25 News
The Journal
The Herald-Mail
The Journal (follow-up)
Report Credit:
Nikki Burdine, NBC25
Response:
From the online sources cited above:
CHARLES TOWN, W.Va. - A "potentially devastating situation" unfolded Wednesday when the Jefferson County Clerk's Office realized that a new online records search program begun last Friday gave Internet access to individuals' Social Security numbers and other personal information, Jefferson County Clerk Jennifer Maghan said.
[Evan] Not unlike many other counties across the United States.
Maghan said Wednesday afternoon she did not know how many Social Security numbers were accessible online, but she said a software program was being run to redact, or remove, Social Security numbers and that it would take about a month for the software to scan "millions of documents."
[Evan] According to the follow-up story, the number of documents is estimated to be "nearly 1.6 million".
The personal information was mostly from county residents, although information from people outside the county might have been exposed, Maghan said.
Maghan, whose office oversees the records, said she decided to pull the service off the Internet at 1:45 p.m. Wednesday after determining that Social Security numbers were exposed.

Source: The Jefferson County Clerk home page
Maghan said she believes the computer company that worked on the program - CSSI - should have detected the problem, but she was taking responsibility for the situation.
[Evan] This is a good point. Even though a contractor worked on the program, it is the responsibility of the contractee to ensure that proper information security measures are in place. The companies I consult, do this through policy (typically a dedicated Vendor/Third-Party Security Policy), contractual language, standards, AND regular audits.
Maghan "deeply apologized" for the scare, and she wants citizens to be assured that the online feature will not be restored until she is certain that personal information of county residents is protected from online predators
"Unfortunately, this kind of fell through the cracks. I'm so upset about it," Maghan said in a telephone interview.
[Evan] I don't know Ms. Maghan or much detail about the job of county clerk, but don't you think you would know what kind of information is contained in the documents you are responsible for? How does the information just fall through the cracks?
Jefferson County Commission member Rusty Morgan said Wednesday night he had not heard about the problem and did not know why the commission was not notified.
"It seems like it's important enough we would be informed," Morgan said.
[Evan] A very important portion of an incident response plan is proper communication. What percentages of organizations, including companies, non-profits, governments, etc. have done any information security incident response planning? Based on my experience the percentages are low.
"I'm sure we'll be discussing it tomorrow," said Morgan, referring to this morning's regular county commission meeting.
The online records search allows searches of public records like property deeds, tax liens and judgments, Maghan said.
The service allows people such as attorneys to do legal work more efficiently, and similar programs have been started in Monongalia, Wood and Kanawaha counties, Maghan said.
Maghan said she started getting phone calls from concerned residents Tuesday saying that Social Security numbers were in the online records.
Maghan said once she verified that there was a problem, she made the move to take down the service.
The service has since been suspended until all Social Security numbers can be removed from the documents as they appear online
[Evan] I noticed the word "all" in Ms. Maghan's statement.
Software used to redact Social Security numbers will remove about 80 percent of the numbers, and the rest will have to be manually deleted, Maghan said.
Maghan told commissioners that she thinks only 211 visitors went to the site before the documents were pulled from public access.
After evaluating the IP addresses of those visitors, she said it appears that all of them came from the local area, and that the numbers were not viewed by anyone from outside the region.
resident Ed Burns told commissioners that the mistake was one that could have "long-term consequences."
[Evan] Very important. Disclosure of sensitive information cannot be un-disclosed. Confidentiality that has been compromised continues to be compromised indefinitely (with very few exceptions). The unauthorized disclosure of information has the potential to cause damage for as long as the information has a useful purpose. In the case of Social Security numbers, this is typically the death of the owner (with exceptions).
"It was a really stupid thing to do," he said.
Jefferson County Sheriff Everett "Ed" Boober also expressed concern about the issue that morning. Boober told commissioners that identity theft is a very real problem, and "we must be very protective" of sensitive information to ensure that no one becomes a victim of such crimes.
Commissioners urged Maghan to try to determine whose documents may have been viewed while the service was posted online. Those individuals should be notified, officials said.
Maghan noted that even after Social Security numbers are removed from the forms found in the online document search, the numbers will still be part of the public record since they appear on hard copies of documents in her office.
[Evan] Good point. So things need to change, eh? If we get creative, I am sure we could come up with a workable solution.
Residents are allowed to come to her office and view records that are stored there, she said.
Many property and bank-related documents feature Social Security numbers, she said, adding that her office is forbidden from altering the documents in any way after they have been recorded, making it impossible to ever remove the information from a hard copy of a document.
Monongalia County Clerk Carye Blaney said Wednesday that her office has done "some redacting" of Social Security numbers on the office's online records but there are "some spots" where Social Security numbers still appear online.
[Evan] Surprised?
Commentary:
This incident is (or easily could be) played out all across this country. The system is busted.
Past Breaches:
Unknown

10/29/08
Organization:
Jefferson County (WV)
Contractor/Consultant/Branch:
Jefferson County Clerk
Location:
Charles Town, West Virginia
Victims:
Current and former citizens
Number Affected:
Unknown
Types of Data:
"Social Security numbers, birth dates and other personal information"
Breach Description:
"CHARLES TOWN - Jefferson County Clerk Jennifer Maghan suspended access to a newly created online tool that enables residents to search local documents after she was told that some of the documents included individuals' Social Security numbers and other personal information."
Reference URL:
NBC25 News
The Journal
The Herald-Mail
The Journal (follow-up)
Report Credit:
Nikki Burdine, NBC25
Response:
From the online sources cited above:
CHARLES TOWN, W.Va. - A "potentially devastating situation" unfolded Wednesday when the Jefferson County Clerk's Office realized that a new online records search program begun last Friday gave Internet access to individuals' Social Security numbers and other personal information, Jefferson County Clerk Jennifer Maghan said.
[Evan] Not unlike many other counties across the United States.
Maghan said Wednesday afternoon she did not know how many Social Security numbers were accessible online, but she said a software program was being run to redact, or remove, Social Security numbers and that it would take about a month for the software to scan "millions of documents."
[Evan] According to the follow-up story, the number of documents is estimated to be "nearly 1.6 million".
The personal information was mostly from county residents, although information from people outside the county might have been exposed, Maghan said.
Maghan, whose office oversees the records, said she decided to pull the service off the Internet at 1:45 p.m. Wednesday after determining that Social Security numbers were exposed.

Source: The Jefferson County Clerk home page
Maghan said she believes the computer company that worked on the program - CSSI - should have detected the problem, but she was taking responsibility for the situation.
[Evan] This is a good point. Even though a contractor worked on the program, it is the responsibility of the contractee to ensure that proper information security measures are in place. The companies I consult, do this through policy (typically a dedicated Vendor/Third-Party Security Policy), contractual language, standards, AND regular audits.
Maghan "deeply apologized" for the scare, and she wants citizens to be assured that the online feature will not be restored until she is certain that personal information of county residents is protected from online predators
"Unfortunately, this kind of fell through the cracks. I'm so upset about it," Maghan said in a telephone interview.
[Evan] I don't know Ms. Maghan or much detail about the job of county clerk, but don't you think you would know what kind of information is contained in the documents you are responsible for? How does the information just fall through the cracks?
Jefferson County Commission member Rusty Morgan said Wednesday night he had not heard about the problem and did not know why the commission was not notified.
"It seems like it's important enough we would be informed," Morgan said.
[Evan] A very important portion of an incident response plan is proper communication. What percentages of organizations, including companies, non-profits, governments, etc. have done any information security incident response planning? Based on my experience the percentages are low.
"I'm sure we'll be discussing it tomorrow," said Morgan, referring to this morning's regular county commission meeting.
The online records search allows searches of public records like property deeds, tax liens and judgments, Maghan said.
The service allows people such as attorneys to do legal work more efficiently, and similar programs have been started in Monongalia, Wood and Kanawaha counties, Maghan said.
Maghan said she started getting phone calls from concerned residents Tuesday saying that Social Security numbers were in the online records.
Maghan said once she verified that there was a problem, she made the move to take down the service.
The service has since been suspended until all Social Security numbers can be removed from the documents as they appear online
[Evan] I noticed the word "all" in Ms. Maghan's statement.
Software used to redact Social Security numbers will remove about 80 percent of the numbers, and the rest will have to be manually deleted, Maghan said.
Maghan told commissioners that she thinks only 211 visitors went to the site before the documents were pulled from public access.
After evaluating the IP addresses of those visitors, she said it appears that all of them came from the local area, and that the numbers were not viewed by anyone from outside the region.
resident Ed Burns told commissioners that the mistake was one that could have "long-term consequences."
[Evan] Very important. Disclosure of sensitive information cannot be un-disclosed. Confidentiality that has been compromised continues to be compromised indefinitely (with very few exceptions). The unauthorized disclosure of information has the potential to cause damage for as long as the information has a useful purpose. In the case of Social Security numbers, this is typically the death of the owner (with exceptions).
"It was a really stupid thing to do," he said.
Jefferson County Sheriff Everett "Ed" Boober also expressed concern about the issue that morning. Boober told commissioners that identity theft is a very real problem, and "we must be very protective" of sensitive information to ensure that no one becomes a victim of such crimes.
Commissioners urged Maghan to try to determine whose documents may have been viewed while the service was posted online. Those individuals should be notified, officials said.
Maghan noted that even after Social Security numbers are removed from the forms found in the online document search, the numbers will still be part of the public record since they appear on hard copies of documents in her office.
[Evan] Good point. So things need to change, eh? If we get creative, I am sure we could come up with a workable solution.
Residents are allowed to come to her office and view records that are stored there, she said.
Many property and bank-related documents feature Social Security numbers, she said, adding that her office is forbidden from altering the documents in any way after they have been recorded, making it impossible to ever remove the information from a hard copy of a document.
Monongalia County Clerk Carye Blaney said Wednesday that her office has done "some redacting" of Social Security numbers on the office's online records but there are "some spots" where Social Security numbers still appear online.
[Evan] Surprised?
Commentary:
This incident is (or easily could be) played out all across this country. The system is busted.
Past Breaches:
Unknown
Comments