Beaumont city worker information posted online by mistake
Technorati Tag: Security Breach
Date Reported:
1/26/09
Organization:
City of Beaumont (TX)
Contractor/Consultant/Branch:
None
Location:
Beaumont, Texas
Victims:
"current and former city employees"
Number Affected:
"about 500"
Types of Data:
"personal information including birth dates and social security numbers"
Breach Description:
"BEAUMONT, Texas — Personal information of about 500 current and former Beaumont city workers accidentally was posted online."
Reference URL:
KBMT Channel 12 News
Associated Press via the Houston Chronicle
Report Credit:
KBMT Channel 12 News
Response:
From the online sources cited above:
City of Beaumont officials tell KBMT 12 News they have notified about 500 current and former city employees that their personal information may have been compromised last week.
City Manager Kyle Hayes says the information was posted on the city's website at about noon January 14 and was finally taken down at about 8 a.m. January 15.
[Evan] If the city has adequate logging enabled on the web server, they should be able to determine (with some certainty) if the file was accessed by unauthorized persons. 20 hours may be long enough to have allowed for crawler visits.
Officials say it happened accidentally after the information was exchanged with a third party.
[Evan] Accidents are more common in cases where the employees are poorly educated (in information security) and unaware.
Hayes says the city sent a letter to the current and former employees late last week.
All were people who filed worker's compensation claims over the last five years.
The letter states the incident occurred "during the course of the city's request for proposals for a Third Party Administrator for Worker's Compensation claims." It goes on to say the information also included a 5-year claims' history.
[Evan] Why would sensitive information get posted to the city's web site during this process? The city issuing an RFP and posting sensitive information seem like two unrelated tasks.
He says while he was concerned about the leak, the information was "buried" in the site and was hard to find.
[Evan] Don't count on "hard to find" as any kind of adequate control. Security through obscurity ain't security.
KBMT obtained a copy of the letter from a concerned city employee. The letter states personal information including birth dates and social security numbers were accidentally posted on the web.
Beaumont City Attorney Tyrone Cooper says city officials are looking into how this happened and are working on "damage control."
One of the employees who was affected refused to go on camera, but said many of the 500 who are affected feel the city made the mess and should assist those affected in cleaning it up help monitor their credit.
Commentary:
The root cause of many breaches is poor information security training and awareness. Annual training (including assessments) are required in every information security program that I have established and/or managed, and awareness campaigns fill t
he gaps in between. What does your information security training and awareness program look like? Is it effective?
Past Breaches:
Unknown
Date Reported:1/26/09
Organization:
City of Beaumont (TX)
Contractor/Consultant/Branch:
None
Location:
Beaumont, Texas
Victims:
"current and former city employees"
Number Affected:
"about 500"
Types of Data:
"personal information including birth dates and social security numbers"
Breach Description:
"BEAUMONT, Texas — Personal information of about 500 current and former Beaumont city workers accidentally was posted online."
Reference URL:
KBMT Channel 12 News
Associated Press via the Houston Chronicle
Report Credit:
KBMT Channel 12 News
Response:
From the online sources cited above:
City of Beaumont officials tell KBMT 12 News they have notified about 500 current and former city employees that their personal information may have been compromised last week.
City Manager Kyle Hayes says the information was posted on the city's website at about noon January 14 and was finally taken down at about 8 a.m. January 15.
[Evan] If the city has adequate logging enabled on the web server, they should be able to determine (with some certainty) if the file was accessed by unauthorized persons. 20 hours may be long enough to have allowed for crawler visits.
Officials say it happened accidentally after the information was exchanged with a third party.
[Evan] Accidents are more common in cases where the employees are poorly educated (in information security) and unaware.
Hayes says the city sent a letter to the current and former employees late last week.
All were people who filed worker's compensation claims over the last five years.
The letter states the incident occurred "during the course of the city's request for proposals for a Third Party Administrator for Worker's Compensation claims." It goes on to say the information also included a 5-year claims' history.
[Evan] Why would sensitive information get posted to the city's web site during this process? The city issuing an RFP and posting sensitive information seem like two unrelated tasks.
He says while he was concerned about the leak, the information was "buried" in the site and was hard to find.
[Evan] Don't count on "hard to find" as any kind of adequate control. Security through obscurity ain't security.
KBMT obtained a copy of the letter from a concerned city employee. The letter states personal information including birth dates and social security numbers were accidentally posted on the web.
Beaumont City Attorney Tyrone Cooper says city officials are looking into how this happened and are working on "damage control."
One of the employees who was affected refused to go on camera, but said many of the 500 who are affected feel the city made the mess and should assist those affected in cleaning it up help monitor their credit.
Commentary:
The root cause of many breaches is poor information security training and awareness. Annual training (including assessments) are required in every information security program that I have established and/or managed, and awareness campaigns fill t
Past Breaches:
Unknown
Posts Atom 1.0
A very similiar situation to this happened at a local company in Atlanta a few months ago. The blame was on untrained employees who had no idea about keeping secured info "secured". This is terrible and more needs to be done to limit these problems.
Reply to this
I agree with you. Something more needs to be done. We know what needs to be done, but the question is how. I have some ideas that I am working on, but I'm not yet ready to share. Thank you for reading!
Reply to this