Employee posts sensitive Maryland Department of Human Resources data online
|
Date Reported:
7/19/10
Organization:
State of Maryland
Contractor/Consultant/Branch:
Department of Human Resources
Location:
Victims:
"clients"
Number Affected:
”nearly 3,000"
Types of Data:
"Social Security numbers and other personal information", including "names, home addresses and phone numbers"
Breach Description:
"A Maryland Department of Human Resources employee was placed on administrative leave after posting the Social Security numbers and other personal information of nearly 3,000 clients of a state agency on a third-party website, a spokeswoman for the agency said."
Reference URL:
The Baltimore Sun
The Washington Post (blog)
Report Credit:
Liz F. Kay, The Baltimore Sun
Response:
From the online sources cited above:
A Maryland employee posted about 2,900 social security numbers and other personal information online where it was available to anyone with an internet connection for more than two months, officials said Monday.
The numbers as well as names, home addresses and phone numbers of clients of Maryland’s human resources department were posted by the worker on his company’s Web site between April 27 and July 14, the agency said in a statement.
[Evan] The name of the company is "Unified Development Services Association, Ltd.", and the Website is offline. I won't mention who the domain name is registered to, but if you wanted to find out, you could easily enough. Why in the aych ee double el would this guy post this information online?
They will receive a letter that was mailed Monday with further details about the data breach.
The data had been removed from the site and cleared from Google’s cache by this week, officials said.
The employee was suspended and the matter referred to the attorney general’s office for investigation, officials said.
[Evan] First of all, the employee obtained and transferred (either physically and/or electronically) the information without authorization and then posted it online for everyone to see.
It wasn't clear whether the breach was malicious in nature, said Aaron Titus, a spokesman for the group that discovered the incident, the Liberty Coalition .
[Evan] As an information security professional, I would hate to learn about a breach from an outside party. It demonstrates a lack of detective control, in addition to the original exploit of one or more preventative control(s). On a side note, I have conversed with Mr. Titus on more than one occasion. It's nice to see that he's still at it!
He added that the vast majority of such data breaches fall into the category of ignorance or poor judgment.
[Evan] Yep.
The human resources department said it would offer a year of free credit monitoring to anyone whose information was compromised.
[Evan] I have said this before… Credit monitoring does nothing to protect credit information; it only alerts you AFTER something bad has happened. A detective control, not a preventative one. One year would be great if Social Security numbers expired after a year.
Those interested in credit monitoring should call by October 29.
Commentary:
I would really be interested in knowing the motive behind this employee's behavior. On the surface it seems almost accidental, but I suppose he could have some malicious intent too. Who knows.
Employee-related breaches are among the most difficult to prevent and/or detect. Employers have to grant employees a certain amount of trust in order to allow them to work. What can we do to prevent them from abusing this trust and causing harm? Employee screening, training, awareness campaigns, regular audits, segregation of duties, rotation, cross-training, etc. can all help. Finding the right mix of these controls is the key to mitigating some of the risk.
Past Breaches:
State of Maryland:
Numerous
Posted by Evan Francen at 7/20/2010 5:00 PM 
Categories: Employee Theft, State of Maryland, Maryland Department of Human Resources
Categories: Employee Theft, State of Maryland, Maryland Department of Human Resources
Posts Atom 1.0
Comments