A quarter million Florida job seekers exposed
Date Reported:12/2/08
Organization:
State of Florida
Contractor/Consultant/Branch:
Agency for Workforce Innovation
Location:
Tallahassee, Florida
Victims:
"customers who received services through Florida’s One-Stop Career Centers between January 2002 and November 2007"
Number Affected:
"Approximately 250,000"
Types of Data:
"names, addresses, phone numbers and Social Security numbers"
Breach Description:
"TALLAHASSEE, Florida. The Florida Agency for Workforce Innovation (AWI, or Florida Jobs) has lost employment information and more than a quarter million social security numbers by posting them online last month, including the social security numbers of at least fifty children."
Reference URL:
National ID Watch
CBS Channel 4 News
WINK News
WFTV Channel 9 News
Florida Agency for Workforce Automation
Report Credit:
Aaron Titus, National ID Watch
Response:
From the online sources cited above:
The Agency for Workforce Innovation is continuing to take action to address a security breach that recently occurred on a test server.
The Agency for Workforce Innovation inadvertently placed confidential information belonging to a group of customers who had previously received workforce services onto an external test server.
[Evan] An external test server? What is the purpose of an external test server? Is there something that AWI was testing externally that couldn't be tested on a test network? I also have a serious issue with using production data on a test system. Production data should NEVER be used in development or test environments. Test data is used on test servers ONLY. Test data is sanitized and useless if compromised.
The Washington DC based Liberty Coalition spotted the error.
The breach occurred when posted several thousand Excel and text files containing millions of employment records in the course of developing a new website. These records contained:
- 264,524 Unique Names, and
- Between 255,917 and 259,193 Social Security Numbers.
- 51 breached social security numbers belonged to children
they had no passwords, were not encrypted, and were not behind a firewall
"This is obviously a case of gross negligence. How anybody could let 250,000 social security numbers end up online is beyond me. It seems like somebody should've gotten the memo you just shouldn't do that," said Aaron Titus, Liberty Coalition.
[Evan] I had the pleasure to speak with Aaron at some length on the phone this past summer. You have to give him some credit, he has certainly come across a significant number of breaches.
"This is by far the largest breach I have ever come across," (Aaron Titus)
[Evan] Well, there was the Louisiana Board of Regents Breach in mid-2007 affecting ~200,000. This was the first time I had heard of Mr. Titus.
Upon discovery, the Agency immediately contacted the appropriate law enforcement agencies, began a thorough investigation and promptly coordinated with all major external search engine companies to ensure the information was no longer accessible to the public.
The Agency has no reason to believe any personal information has been accessed for unlawful purposes.
[Evan] What would a breach notification be if it didn't include the preceding statement? What "reason" would the Agency be looking for?
“We are committed to serving the people of Florida and to maintaining the public trust at its highest level,” said Monesia T. Brown, Director of the Agency for Workforce Innovation.
“We are thoroughly investigating this matter and are making every effort to enhance the security of our computer systems.”
[Evan] This is a heckuva promise. Do you think anyone will take them literally, i.e. "every effort"?
Although some of the files were on the server for more than six years, AWI officials insist that the server was only connected to the internet for about a month.
The security breach occurred on an Agency test server for 19 days in October 2008 and resulted in the exposure of the names and Social Security Numbers of approximately 250,000 customers who received services through Florida’s One-Stop Career Centers between January 2002 and November 2007.
The Agency is also taking the following actions:
- Notifications are currently being mailed to the affected customers.
- A complete review of the Agency’s technology policies and procedures is underway.
- All affected partners are being notified to ensure optimal customer service and assistance to concerned Floridians.
- Management teams are continuing to work diligently to protect the confidentiality of stored personal data.
the information was never posted to a public website. It was, however, accessible by search engines during the time it was public
"It's absurd that an agency that's supposed to be protecting information can put it out there like just a sheet of paper thrown on the ground," said jobseeker Bruce Cosda.
"It adds insult to injury. These are obviously people who need help. They turn to the state government for help and it's kind of a kick in the pants," Titus said.
Abraham Teller is one of the 250,000 victims. Handicapped, and out of work, Teller asked the agency for help in 2005.
"I asked for help and this one of the very few things I got," said Teller. "I guess I kind of feel let down. I could never imagine that something like this could happen. If I guess you buy something online there is a chance you know, but here that's pretty scary."
[UPDATE Dec 3, 2008] WARNING: The Agency for Workforce Innovation has set up a website where they ask the public to enter the last four digits of their SSN for verification purposes.
In an ironic display of security incompetence, the Agency for Workforce Innovation has failed to encrypt or secure this website.
The last four of the SSN is used by some banks as a password, and some companies will offer credit based on the last four digits.
Entering any part of an SSN over an unsecured website may put individuals at additional risk of fraud.
[UPDATE Dec 4, 2008] Shortly after the Liberty Coalition posted the previous update, the Agency secured their website.
Commentary:
I noticed, and one of the news reporters noticed that AWI did not credit Aaron Titus in their public announcement of the breach. In fact, I could not find any reference to Aaron on the AWI web site. Interesting.
An opinion about Aaron Titus. Some people have questioned his motives behind breach disclosures (present and past). Motives aside, bringing this breach to the attention of the public and the affected people is a good thing. Mr. Titus deserves credit and gets a tip of my hat.
An opinion about National ID Watch (Mr. Titus' organization). National ID Watch (formerly ssnbreach.org), only reports breaches found by the organization which comprises a very small percentage of all reported breaches ("roughly .2%") and typically (only?) addresses a single exposure vector, unsecured online information. Although this is an important area of exposure, it does not come remotely close to addressing "information security" in totality. National ID Watch is an important resource, but is only one of many.
Past Breaches:
State of Florida:
July, 2008 - Department of Business & Professional Regulation is notifying 150 people
July, 2008 - Florida's Agency for Health Care Administration reports a breach
January, 2008 -
Posts Atom 1.0
I love the non-logo. Very nice.
Reply to this