A breach where nobody wants to be responsible
Technorati Tag: Security Breach
Date Reported:
12/4/08
Organization:
Deo B. Colburn Foundation
Contractor/Consultant/Branch:
Economic Research Institute ("ERI")
Internal Revenue Service ("IRS")
Location:
Online*
*ERI is located in Redmond, Washington. ERI's web site is hosted out of Colorado
Victims:
Deo B. Colburn Foundation Scholarship recipients for 2003-04 academic year
Number Affected:
341
Types of Data:
"names, addresses, academic institutions, the amount of money recieved and Social Security numbers"
Breach Description:
"LAKE PLACID - Hundreds of Social Security numbers of former students from all over the northern Adirondacks were released onto the Internet, potentially compromising those people’s credit and financial status, and opening the door to identity theft. Until the numbers were blacked out on Tuesday, the whole world had had access to the Social Security numbers of 341 recipients of the Lake Placid-based Deo B. Colburn Foundation Scholarship for the 2003-04 academic year through the Washington-state-based Economic Research Institute’s Web site."
Reference URL:
Lake Placid News
Report Credit:
Heather Sackett, Lake Placid News
Response:
From the online source cited above:
LAKE PLACID - Hundreds of Social Security numbers of former students from all over the northern Adirondacks, including Lake Placid, were released onto the Internet, potentially compromising those people’s credit and financial status, and opening the door to identity theft.
Until the numbers were blacked out on Tuesday, the whole world had had access to the Social Security numbers of 341 recipients of the Lake Placid-based Deo B. Colburn Foundation Scholarship for the 2003-04 academic year through the Washington-based Economic Research Institute’s Web site.
The information had possibly been there for years.
[Evan] Is "possibly" good enough? Does ERI (or their hosting provider) not log who publishes what to their web site when? Web sites require extensive logging, especially those which collect/process/store/create sensitive information. Additional best practices surrounding logging are regular review and archival. Has anyone checked the file for timestamps on the server. Maybe this would provide a hint. Instead of conducting a thorough investigation of this breach, it seems as though ERI just "blacked out" the sensitive information. Do People deserve better?
AuSable Valley Central School graduate and past scholarship recipient Lindsey Pashow said she made the unsettling discovery on Nov. 21 when she entered her name on a "Google" search.
"The whole thing is ridiculous," she said. "I just can’t believe it."
Pashow said she is filing a formal complaint with the attorney general’s office.
She has also filed a credit report complaint and contacted the state police.
The Deo B. Colburn Foundation is a charitable organization that gives performance-based college scholarships to local students.
[Evan] A noble cause it seems.
For the 2003-04 academic year, the foundation doled out $227,500 in $500 or $1,000 amounts per year to each student.
The foundation’s 2002 tax return, form 990, which is a public document, appeared on the Economic Research Institute’s Web site.
[Evan] Form 990 is a public document, but I don't think the addendum (which contained the sensitive information) is.
As an addendum to that form, however, were the 341 names, addresses, academic institutions, the amount of money recieved and Social Security numbers of the scholarship recipients.
The numbers were blacked out sometime on Tuesday after the ERI learned of the mistake.
Attempting to determine who leaked the information and how it ended up on the Internet has led to finger pointing, with no organization willing to take the blame.
[Evan] Great. Meanwhile, do any of the victims know that their information was exposed? Is anyone planning on notifying them? In my opinion, all of the organizations involved in the breach are responsible. Each to a differing degree, but each responsible nonetheless.
Linda Lampkin, a research director at ERI, said revealing the personal information was a mistake on the foundation’s part.
[Evan] Really? Who is responsible for the site on which this information was found? Does ERI not at least share some responsibility for the information posted to their site? Is ERI responsible for logging? Is ERI responsible for not conducting a thorough investigation of an exposure concerning their site?
"They (the Social Security numbers) were up there because the foundation stuck them up there," she said. "The instructions say don’t put them up there because it’s a public document."
[Evan] How does ERI know that the foundation "stuck them up there"? You would think that if ERI knew that the foundation published the information, that they would also be able to tell us when. As you will read later, the foundation blames the IRS for posting the information.
The ERI is a research firm that surveys and compiles the financial information of nonprofit groups.
[Evan] Should ERI take steps to ensure that sensitive information is not exposed?
According to Lampkin, the ERI processes more than 1 million tax returns from nonprofit organizations.
Lampkin said the foundation sends its tax returns to the federal Internal Revenue Service, which then sends the information to the ERI.
[Evan] So the IRS sent the information and ERI published it? I thought Ms. Lampkin stated that the foundation "stuck them up there".
"The foundations just slap an attachment with a list," she said. "We attempt to look for (the accidental adding of Social Security numbers), but we have over a million images. We don’t have the time to look."
[Evan] Does anyone else take exception to this? "We don't have time to look"?! If you don't have time to handle sensitive information securely, then you shouldn't be in a business that might handle sensitive information. Maybe I am too much of a purist, but I really don't like this excuse.
Lampkin said the information could have been on the Web since 2005.
She added that there are other organizations similar to ERI out there that may also have access to the same information.
[Evan] So? Hopefully the "other organizations" take information security more seriously.
Craig Randall, of Lake Placid, is a trustee and president of the Deo B. Colburn Foundation, and earlier this week announced his candidacy for Lake Placid village mayor. He maintains it is the IRS, not the foundation, that is at fault.
[Evan] And the circle of blame continues...
"When we first heard about it last week, we were mystified," he said. "I can assure you the foundation would never make the information public. I have no idea how the IRS can release that information to the public."
Randall said the foundation has sent a complaint to the IRS and a letter of concern to local elected officials.
[Evan] Do you think filing a complaint with the IRS will result in anything?
He would not say if it was possible that the foundation made a mistake by accidentally including the Social Security numbers along with the tax return.
Hannelore Kissam, of Westport, prepares the foundation’s tax returns, including the 2002 return containing the Social Security numbers.
She said the IRS used to, at one time, require the Social Security numbers of all the recipients of the scholarship but stopped that practice a few years ago.
She said that while New York state informed the foundation that its tax returns would be open to public inspection, the IRS never informed the foundation of a similar change.
"We didn’t know (in 2002) that the IRS didn’t require them anymore," she said. "We never sent these things to New York state. We did not know the IRS was publishing the returns."
Kissam said she no longer includes recipients’ Social Security numbers with the foundation’s tax returns.
But Diane Besunder, a New York state media contact for the IRS, said her organization is not responsible for posting the numbers.
"It is a little bit of a puzzlement," she said. "The one thing I can assure you is that we didn’t put it online. It’s some kind of error."
[Evan] Words like "possibly", "could", "might", "should", etc. are not acceptable. These are the types of words we get as a result of a poor (or no) investigation.
Jane Zanca, public affairs specialist with the Social Security Administration, said that however the numbers ended up online, it doesn’t appear to have been done on purpose or with an intention to defraud.
Still, the Internet is hard to police, and anyone who viewed the document could have potentially saved or printed the information.
"Although they can remove it, you can’t guarantee that 17 other organizations or agencies haven’t picked it up," Zanca said.
The problem appears to have been taken care of for now and there is no evidence yet of identity theft, but the fact that no one can say for sure how long the information was out there is still upsetting to Pashow.
"I kind of wish I had never received the scholarship now," she said.
Commentary:
If you ask me, all three organizations are responsible for this breach. It really bugs me that there are little or no facts. There is plenty of finger-pointing and speculation, but nobody seems to be stepping up to the plate. Meanwhile, the people who own this information are completely in the dark.
This is a case where nobody seems to want to be responsible for information security. Sad.
We could give a benefit of the doubt and assume that a thorough investigation was conducted and more detailed information is available, but just not publicized. It could happen.
Past Breaches:
Unknown
Date Reported:12/4/08
Organization:
Deo B. Colburn Foundation
Contractor/Consultant/Branch:
Economic Research Institute ("ERI")
Internal Revenue Service ("IRS")
Location:
Online*
*ERI is located in Redmond, Washington. ERI's web site is hosted out of Colorado
Victims:
Deo B. Colburn Foundation Scholarship recipients for 2003-04 academic year
Number Affected:
341
Types of Data:
"names, addresses, academic institutions, the amount of money recieved and Social Security numbers"
Breach Description:
"LAKE PLACID - Hundreds of Social Security numbers of former students from all over the northern Adirondacks were released onto the Internet, potentially compromising those people’s credit and financial status, and opening the door to identity theft. Until the numbers were blacked out on Tuesday, the whole world had had access to the Social Security numbers of 341 recipients of the Lake Placid-based Deo B. Colburn Foundation Scholarship for the 2003-04 academic year through the Washington-state-based Economic Research Institute’s Web site."
Reference URL:
Lake Placid News
Report Credit:
Heather Sackett, Lake Placid News
Response:
From the online source cited above:
LAKE PLACID - Hundreds of Social Security numbers of former students from all over the northern Adirondacks, including Lake Placid, were released onto the Internet, potentially compromising those people’s credit and financial status, and opening the door to identity theft.
Until the numbers were blacked out on Tuesday, the whole world had had access to the Social Security numbers of 341 recipients of the Lake Placid-based Deo B. Colburn Foundation Scholarship for the 2003-04 academic year through the Washington-based Economic Research Institute’s Web site.
The information had possibly been there for years.
[Evan] Is "possibly" good enough? Does ERI (or their hosting provider) not log who publishes what to their web site when? Web sites require extensive logging, especially those which collect/process/store/create sensitive information. Additional best practices surrounding logging are regular review and archival. Has anyone checked the file for timestamps on the server. Maybe this would provide a hint. Instead of conducting a thorough investigation of this breach, it seems as though ERI just "blacked out" the sensitive information. Do People deserve better?
AuSable Valley Central School graduate and past scholarship recipient Lindsey Pashow said she made the unsettling discovery on Nov. 21 when she entered her name on a "Google" search.
"The whole thing is ridiculous," she said. "I just can’t believe it."
Pashow said she is filing a formal complaint with the attorney general’s office.
She has also filed a credit report complaint and contacted the state police.
The Deo B. Colburn Foundation is a charitable organization that gives performance-based college scholarships to local students.
[Evan] A noble cause it seems.
For the 2003-04 academic year, the foundation doled out $227,500 in $500 or $1,000 amounts per year to each student.
The foundation’s 2002 tax return, form 990, which is a public document, appeared on the Economic Research Institute’s Web site.
[Evan] Form 990 is a public document, but I don't think the addendum (which contained the sensitive information) is.
As an addendum to that form, however, were the 341 names, addresses, academic institutions, the amount of money recieved and Social Security numbers of the scholarship recipients.
The numbers were blacked out sometime on Tuesday after the ERI learned of the mistake.
Attempting to determine who leaked the information and how it ended up on the Internet has led to finger pointing, with no organization willing to take the blame.
[Evan] Great. Meanwhile, do any of the victims know that their information was exposed? Is anyone planning on notifying them? In my opinion, all of the organizations involved in the breach are responsible. Each to a differing degree, but each responsible nonetheless.
Linda Lampkin, a research director at ERI, said revealing the personal information was a mistake on the foundation’s part.
[Evan] Really? Who is responsible for the site on which this information was found? Does ERI not at least share some responsibility for the information posted to their site? Is ERI responsible for logging? Is ERI responsible for not conducting a thorough investigation of an exposure concerning their site?
"They (the Social Security numbers) were up there because the foundation stuck them up there," she said. "The instructions say don’t put them up there because it’s a public document."
[Evan] How does ERI know that the foundation "stuck them up there"? You would think that if ERI knew that the foundation published the information, that they would also be able to tell us when. As you will read later, the foundation blames the IRS for posting the information.
The ERI is a research firm that surveys and compiles the financial information of nonprofit groups.
[Evan] Should ERI take steps to ensure that sensitive information is not exposed?
According to Lampkin, the ERI processes more than 1 million tax returns from nonprofit organizations.
Lampkin said the foundation sends its tax returns to the federal Internal Revenue Service, which then sends the information to the ERI.
[Evan] So the IRS sent the information and ERI published it? I thought Ms. Lampkin stated that the foundation "stuck them up there".
"The foundations just slap an attachment with a list," she said. "We attempt to look for (the accidental adding of Social Security numbers), but we have over a million images. We don’t have the time to look."
[Evan] Does anyone else take exception to this? "We don't have time to look"?! If you don't have time to handle sensitive information securely, then you shouldn't be in a business that might handle sensitive information. Maybe I am too much of a purist, but I really don't like this excuse.
Lampkin said the information could have been on the Web since 2005.
She added that there are other organizations similar to ERI out there that may also have access to the same information.
[Evan] So? Hopefully the "other organizations" take information security more seriously.
Craig Randall, of Lake Placid, is a trustee and president of the Deo B. Colburn Foundation, and earlier this week announced his candidacy for Lake Placid village mayor. He maintains it is the IRS, not the foundation, that is at fault.
[Evan] And the circle of blame continues...
"When we first heard about it last week, we were mystified," he said. "I can assure you the foundation would never make the information public. I have no idea how the IRS can release that information to the public."
Randall said the foundation has sent a complaint to the IRS and a letter of concern to local elected officials.
[Evan] Do you think filing a complaint with the IRS will result in anything?
He would not say if it was possible that the foundation made a mistake by accidentally including the Social Security numbers along with the tax return.
Hannelore Kissam, of Westport, prepares the foundation’s tax returns, including the 2002 return containing the Social Security numbers.
She said the IRS used to, at one time, require the Social Security numbers of all the recipients of the scholarship but stopped that practice a few years ago.
She said that while New York state informed the foundation that its tax returns would be open to public inspection, the IRS never informed the foundation of a similar change.
"We didn’t know (in 2002) that the IRS didn’t require them anymore," she said. "We never sent these things to New York state. We did not know the IRS was publishing the returns."
Kissam said she no longer includes recipients’ Social Security numbers with the foundation’s tax returns.
But Diane Besunder, a New York state media contact for the IRS, said her organization is not responsible for posting the numbers.
"It is a little bit of a puzzlement," she said. "The one thing I can assure you is that we didn’t put it online. It’s some kind of error."
[Evan] Words like "possibly", "could", "might", "should", etc. are not acceptable. These are the types of words we get as a result of a poor (or no) investigation.
Jane Zanca, public affairs specialist with the Social Security Administration, said that however the numbers ended up online, it doesn’t appear to have been done on purpose or with an intention to defraud.
Still, the Internet is hard to police, and anyone who viewed the document could have potentially saved or printed the information.
"Although they can remove it, you can’t guarantee that 17 other organizations or agencies haven’t picked it up," Zanca said.
The problem appears to have been taken care of for now and there is no evidence yet of identity theft, but the fact that no one can say for sure how long the information was out there is still upsetting to Pashow.
"I kind of wish I had never received the scholarship now," she said.
Commentary:
If you ask me, all three organizations are responsible for this breach. It really bugs me that there are little or no facts. There is plenty of finger-pointing and speculation, but nobody seems to be stepping up to the plate. Meanwhile, the people who own this information are completely in the dark.
This is a case where nobody seems to want to be responsible for information security. Sad.
We could give a benefit of the doubt and assume that a thorough investigation was conducted and more detailed information is available, but just not publicized. It could happen.
Past Breaches:
Unknown
Posted by Evan Francen at 12/14/2008 9:09 PM 
Categories: Employee Mistake, Internal Revenue Service, Deo B Colburn Foundation, Economic Research Institute
Categories: Employee Mistake, Internal Revenue Service, Deo B Colburn Foundation, Economic Research Institute
Posts Atom 1.0
Comments