City of Springfield accidentally posts sensitive information to Web site
|
Date Reported:
6/10/10
Organization:
Contractor/Consultant/Branch:
None
Location:
Springfield, Illinois
Victims:
Current and/or former residents
Number Affected:
Undisclosed
Types of Data:
Sensitive personal information, including Social Security numbers, driver’s license numbers, home and work telephone numbers -- even a bank account number and the name of someone who called the state anonymously to report suspected child abuse"
Breach Description:
"Springfield Mayor Tim Davlin on Friday blamed a computer glitch and human error for the release of people’s private information, such as Social Security numbers and driver’s license numbers, on the city’s website."
Reference URL:
The State Journal-Register
The State Journal-Register (2)
Report Credit:
Bruce Rushton, The State Journal-Register
Response:
From the online sources cited above:
The city of Springfield put documents online that contained such sensitive information as people’s Social Security numbers, driver’s license numbers, home and work telephone numbers -- even a bank account number and the name of someone who called the state anonymously to report suspected child abuse.
The documents were posted on the city’s website in response to Freedom of Information Act requests as part of an initiative to make public information available to anyone with a computer.
[Evan] I understand the city's responsibility to comply with FOIA requests, but the manner in which they comply seems very sloppy.
But personal information, such as home phone numbers, Social Security numbers and driver’s license numbers, are exempt from disclosure under state law.
The city removed the database from its website Thursday morning, when a Sherman man whose Social Security number and other personal information had been posted online called city hall after learning from a reporter that the city had published a police report on a burglary at a home he owned in Springfield.
The city posted the document after LexisNexis, a company that sells data online, asked for the report, according to the database that includes summaries of FOIA requests.
Besides publishing his home and cellular phone numbers, the city also published telephone numbers for his 19-year-old daughter.
The serial numbers on thousands of dollars in stolen U.S. Savings Bonds were also posted.
The city also published police reports on an embezzlement case at Prairie Land Properties on Old Rochester Road, including such information as the firm’s bank-account number and the owner’s birth date and home and cellular phone numbers.
The bank account has been closed, but the other information remains valid.
“I had no idea they published that stuff,” said Larry Quinn, owner of Prairie Land Properties. “That’s crazy.”
[Evan] Many people don't give much thought to the amount and sensitivity of information cities, counties, states, and federal government agencies collect about them. Unfortunately, some government agencies don't seem to give much thought to it either.
“Now you’ve just answered my question: We’ve been getting all these strange phone calls and text messages,” Quinn said.
The calls and text messages began about when the city posted his phone numbers online, Quinn said. Callers hang up, and the text messages are typically from someone trying to sell something, he said.
“Oops! We goofed!” city officials said in a Thursday afternoon posting on the city’s Facebook and Twitter pages.
[Evan] How's that for an official response? Doesn't this instill confidence?
The database went back up a short time later.
Mayoral spokesman Ernie Slottag said the problem had been fixed by removing all police reports, which can often contain personal information.
Before the database was taken down and revised, it took a reporter less than 15 minutes of random checking to find birth dates, cell phone numbers, a Social Security number and a driver’s license number, mostly in police reports.
More than three hours after the database was taken down, Slottag said in an email to reporters that the city hadn’t yet determined the extent of the problem.
[Evan] I can tell you that the extent of the problem is probably larger than this one incident. Often times we find that a breach is merely a symptom of larger problems. Policy, procedural, and/or cultural problems.
“At least one police report which contained private information was placed on the site in error,” Slottag wrote. “City policy is to not publish police reports because they can contain personal information. We are presently examining other files to determine if this is an isolated incident.”
Others included the name of an alleged child-abuse victim and the name of a woman who had made an anonymous call to the state Department of Children and Family Services to report suspected child abuse.
[Evan] Not cool. Things like this could effect a person's safety.
Slottag said the city simply made a mistake.
“With the hundreds of FOIA request (sic) that the city receives each week, it is understandable that an error might be possible,” Slottag wrote in his email to reporters. “The city will do everything that it can to see that this does not happen again.”
[Evan] If the city receives hundreds of requests each week, then there should be a pretty high priority placed on the security implications of fulfilling such requests. I can understand errors, but I don't accept them. There is a major difference.
An hour later, Slottag declared the problem fixed in another email to the media.
“The City of Springfield’s website containing FOIA information has returned to normal and is, again, available for viewing by the public,” Slottag wrote.
Edwards (Ward 1 Ald. Frank Edwards) said the city shouldn’t be posting responses to FOIA requests.
“Why do it?” Edwards asked. “I think they’re using it (the database) as a deterrent (to filing requests).”
What was online
When The State Journal-Register first looked at the contents of the city’s Freedom of Information database posted on the city’s website, the database included:
*At least two Social Security numbers, including one belonging to a burglary victim and another assigned to a woman arrested on suspicion of driving under the influence
*At least three driver’s license numbers
*A bank account number
*The name of a minor who was an alleged victim of child abuse
*The name of a woman who called the state Department of Children and Family Services to anonymously report child abuse
*The telephone numbers of a woman who said she had been the victim of telephone harassment
*Phone numbers of five victims in a motor-vehicle accident, including three passengers on a Springfield Mass Transit District bus
*Dozens of home phone numbers, work phones, employer names and birth dates for citizens whose names appeared in police reports.
Commentary:
This breach appears to be limited in terms of the number of affected people; however, if the problems that led to this breach are not properly addressed, there is a significant risk of a larger, more impactful breach in the future. When I read the comments made by city officials, I get a general sense of a lack of concern.
The city needs to formalize and document their policies and procedures for handling FOIA requests. The procedures need to granular enough to leave no room for doubt on how requests are approved, who approves them, and what (specific) information is allowed to be published. Beyond this, the city also needs to periodically audit what information they have made publicly available. Employees responsible for any portion of the process must be trained properly and reminded regularly. Of course, all of these recommendations are assuming that the city has some semblance of a formal information security program in place. Maybe I'm going too far.
Past Breaches:
Unknown
Posts Atom 1.0
Comments