• Home
  • Et Cetera

Infosecurity.US

Sunshine State Loses Quarter Million Social Security Numbers

By Marc Handelman on December 3rd, 2008

National ID Watch has revealed a State of Florida Agency has managed to lose a quarter million IDs and their attendant US Social Security Numbers. Evidence now implicates the State of Florida Agency for Workforce Innovation (AWI), in, what we believe, was a completely avoidable snafu. Apparently, the Agency published the personal employment information and more than 250,000 social security numbers online for at least 30 days (maybe longer).  The information posted on the Agency’s web site included social security numbers of at least 50 minors. More information from the National ID Watch posting can be examined after the page jump.

From  National ID Watch: “The Florida Agency for Workforce Innovation (AWI, or Florida Jobs– floridajobs.org) posted employment information and more than a quarter million social security numbers online for at least one month, and perhaps longer.  The information included social security numbers of at least fifty children.

Individuals who participated in the Florida Jobs One-Stop Program since 2002 may be at risk, and should go to National ID Watch (http://www.nationalidwatch.org/) to find out whether they were affected.

In the course of developing a new employment website, AWI posted several thousand Excel and text files containing millions of employment records. These records contained:

  • Between 255,917 and 259,193 Names and Social Security Numbers.
  • 51 breached social security numbers belonged to children

Although some of the files have been on the server for more than six years, AWI officials insist that the server was only connected to the internet for about a month. Whether social security numbers were online for a month or six years, they had no passwords, were not encrypted, and were not behind a firewall. Anyone with an internet connection could access the names and social security numbers.

The Liberty Coalition asked AWI the following questions:

  1. Why did the Agency for Workforce Innovation store sensitive Excel files on a server at all?
  2. Why was this website left open to the public for more than a month, undetected by AWI’s IT department?
  3. Why were the files on the server not behind a firewall, password protected or encrypted?
  4. How many other servers store sensitive personal information, and how many of those are available to the public right now?
  5. How many AWI employees have access to clients’ social security numbers, and do they all need access?
  6. How do you plan to train employees to appropriately handle sensitive personal information?
  7. Do you have a regular schedule of scanning your internal networks and external servers for personal information? If so, why was this breach not discovered?
  8. Does the Agency for Workforce Innovation intend to pay for identity theft protection services for the victims of this breach?
  9. Will the Agency notify victims by mail?

In response to these questions, an official answered in part, “The Agency takes these matters very seriously, and the security of our customers’ confidential information is a number one priority. Although this was an isolated incident which was quickly discovered and corrected, we are examining the details of this issue very closely, and based on our findings, will implement any necessary system modifications and will take appropriate action in accordance with applicable law.” The agency has or will take the following steps:

  • The Agency for Workforce Innovation quickly removed access to the sensitive information within hours of becoming aware of the breach.
  • The Agency quickly coordinated with search engines to remove cached versions of the documents from the internet.
  • The Agency will attempt to notify the victims of this breach by mail.
  • The Agency has hired a third party to assess network vulnerability.
  • The Agency is working with the Florida Department of Law Enforcement and the Office of the Attorney General.
  • The Agency pledges to learn from its mistakes.

The Liberty Coalition commends the agency for these responsible steps, but also notes the following:

  • AWI has not offered to protect victims with identity theft protection services.
  • AWI relied on public search engines and a member of the public 800 miles away to discover the breach.
  • The Agency should destroy the information, not just restrict access.
  • We don’t know how many other AWI servers are currently exposing personal information.
  • We question the need for AWI to collect minors’ social security numbers.
  • AWI has not indicated how many employees have access to clients’ social security numbers, and whether these employees require access to fulfil their job descriptions.
  • AWI does not appear to regularly scans its networks for sensitive personal information.

The Agency for Workforce Innovation has taken the files offline, though it’s too early to tell whether the Florida Jobs breach has resulted in identity theft.

About NationalIDWatch.org

National ID Watch is a search engine for personal information breaches.  Sponsored by the Washington, DC non-profit Liberty Coalition (http://www.libertycoalition.net), NationalIDWatch.org provides more than a million free personalized Identity Exposure Reports™ as a public service.
Each Identity Exposure Report (IXR) documents what types of personal information were exposed (such as Social Security Numbers, Birth Dates, Addresses, etc.), without revealing them. Each IXR also details the situation surrounding each exposure, and contact information of those responsible for the breach. Armed with this information, victims can further investigate, take action, or correct harm.

  • Equifax’s new age-verification tool cumbersome, limited
  • Court Eyes Illegal Aliens And ID Theft
Reblog this post [with Zemanta]

Categories: Blatant Stupidity, Data Security, Features, Infosecurity, Web Security, What Were They Thinking
Tags: Blatant Stupidity, Cybercrime, Dataloss, Features, Florida, ID Theft, Liberty Coalition

Related Headlines

    Related posts:

    1. Social Security Numbers for Sale? Say It Isn’t So…
    2. FAA Suffers Internal Data Security Breach – Now Under Investigation
    3. SERCO Manages To Lose Nearly Quarter Million Soldiers Identities
    4. Anthem Blue Cross Fesses Up, Passes The Buck
    5. Do The Math: 5/3rd Bank Breach = New Cards For Customers

Comments are closed.

« VLC Exploit In The Wild XKCD: Sleet »
  • Latest
  • Random
  • Bookmarks
  • Archives
  • Steve Benson: Persian Lights…
  • New, Pernicious BotNet Emerges
  • VMWare Announces ESX Console Security Update
  • Nick Anderson: Egg
  • Doppelgänger Infinitus
  • Robert Ariall: Iran For Cover
  • Data Leakage Wednesdays: Old Printer Vector
  • XKCD: Exoplanets
  • Apple Releases Magic Footpad, Raises Ante On Bipedal Computer Controls
  • Science Tuesday: Asteroidal Discoveries Mapped, 01980 – 02010
  • Firefox 3.0.2 Released – Multiple Vulnerabilites Addressed
  • Keith Knight: Illuminati
  • XKCD: Parental Trolling
  • Call For Papers – RAID 2009
  • How To Fix The Leak
  • VMWare Security Announcement, JRE, NFS, NEWT Patched
  • XKCD: The Search
  • Friday MustRead – ArsTechnica Perspective: KnuJon, HostExploit Report
  • Out-of-Band Security Patch for Microsoft IE 7 Critical Vulnerability Announced
  • Benson: In Memoriam Walter Cronkite
  • Apple
  • BSD
  • Closson
  • Darknet
  • Debian
  • Finnigan
  • ha.ckers
  • Hoff
  • Insecure
  • Krebs
  • Layer8
  • MSRC
  • Network Security Blog
  • NSA SEL
  • openSUSE
  • RedHat
  • SANS
  • Schneier
  • Security Eunoia
  • Securosis
  • Shimel
  • September 2010
  • August 2010
  • July 2010
  • June 2010
  • May 2010
  • April 2010
  • March 2010
  • February 2010
  • January 2010
  • December 2009
Subscribe

Featured Blog - Blogs.com SANS Security Reading Room KnotOriginal: fine art to hang on your body and walls Member - Security Bloggers Network

Dilbert

KnotOriginal

Featured Video

QOTD

RSS Security Bloggers Network

  • Two Wheel EV Recumbant: Zerotracer 2010/09/02 Davi Ottenheimer
  • Ben Franklin’s Endpoint Security Advice 2010/09/02 Jeff Hughes
  • Configuring Conditional SSH Connections 2010/09/02 Xavier
  • Truecrypt and USB drives 2010/09/02 always peace
  • LogChat Podcast 1: Anton Chuvakin and Andrew Hay Talk Logs 2010/09/02 Andrew Hay
  • Safe Web Surfing Rule # 1: READ the URL 2010/09/02 Tom Kelchner
  • Heartland Set To Pay Discover $5M For 2008 Data Breach 2010/09/02 spinman
  • User’s Opinions on Malware Infections 2010/09/02 spinman
  • Acunetix Web Vulnerability Scanner 7 Released 2010/09/02 spinman
  • LogChat Podcast 1: Anton Chuvakin and Andrew Hay Talk Logs 2010/09/02 Anton Chuvakin

RSS Cryptography

  • Monitor: Schrodinger's cat and mouse 2010/09/02
  • How to configure a Junos security device 2010/09/02
  • Net Effect: Hay-what? 2010/09/02
  • The Art of Proof 2010/09/02
  • Quantum crypto cracked, researchers say 2010/09/01

RSS SANS ISC

  • Microsoft EMETv2 released, (Thu, Sep 2nd) 2010/09/02
  • SDF, please!, (Thu, Sep 2nd) 2010/09/02
  • Month of Undisclosed 0-day Bugs, (Wed, Sep 1st) 2010/09/01
  • Microsoft issues updates to sysinternals ProcDump and Process Monitor: http://blogs.technet.com/b/sysinternals/archive/2010/08/30/updates-procdump-process-monitor-and-a-new-mark-s-blog-post.aspx, (Wed, Sep 1st) 2010/09/01
  • VMWARE releases 2 security advisories for ESX Service Console: http://lists.vmware.com/pipermail/security-announce/2010/000103.html and http://lists.vmware.com/pipermail/security-announce/2010/000104.html, (Wed, Sep 1st) 2010/09/01

RSS Oracle

  • Going to Oracle OpenWorld 2010? 2010/09/02
  • Automatic Time Zone support in Application Express 4.0 2010/09/02
  • EBS, Collaborate, Security, BPEL, OWB, Blog of Note, Hyperion, EPM, Burnout, WiFi 2010/09/02
  • Details of Tuxedo sessions at OOW 2010/09/02
  • JavaOne Preview on TechCast Live! (Tues., Sept. 7, 10am PT) 2010/09/02
  • links for 2010-09-02 2010/09/02
  • Join us for a Bersin & Associates Webcast - "Evolution of ERPs: Driving Business Value through Integrated Talent Management" 2010/09/02

RSS MySQL

  • Join MySQL at OSCON 2010/07/02
  • TechCast Live: Jono Bacon and Luke Kowalski on MySQL Community 2010/05/21
  • What's New in the MySQL Enterprise Spring 2010 Release? - Interview with Mark Matthews and Andy Bang 2010/05/17
  • Introduction to MySQL 5.5 2010/04/13
  • Why Should I Check Out a MySQL-Based Column Database ? 2010/02/12
  • A deep look at MySQL 5.5 partitioning enhancements 2009/12/24
  • Sun "Tech Days" Conference World Tour Kicks Off in Brazil 2009/12/07

RSS Linux

  • A Guide to Today's Top 10 Linux Distributions - NetworkWorld.com 2010/09/02
  • Embedded Linux Conference videos available - LWN.net 2010/09/02
  • Net Applications' iOS vs Linux Report Confuses Me - Muktware (blog) 2010/09/02
  • Cloudlinux Named Editor's Choice By Web Host Magazine & Buyer's Guide - PR Urgent 2010/09/02
  • Samsung's 3D TV remote let's you take the screen with you - Geek.com 2010/09/02

RSS MAC OSX

  • Samsung Reveals Half-Pint iPad, The Galaxy Tab 2010/09/02 Eli Milchman
  • Daily Deals: New nano, touch and Apple TV 2010/09/02 Ed Sutherland
  • iPhone 4 Coffee Table Gets You Better Reception Than iPod Table? 2010/09/02 Nicole Martinelli
  • Walkman Outsells iPods in Japan, Can Wristwatch Nano Change That? 2010/09/02 Nicole Martinelli
  • Amazon: Buy – Don’t Rent – 99-Cent Fox, ABC TV Episodes 2010/09/02 Ed Sutherland
  • Analyst: New Apple TV Rival for Cable’s Video-on-Demand 2010/09/02 Ed Sutherland
  • iTunes Ping And Facebook: What’s Going On? 2010/09/02 Giles Turnbull

RSS Microsoft

  • Update on Security Advisory 2269637 2010/08/31 MSRCTEAM
  • Microsoft Security Advisory 2269637 Released 2010/08/22 MSRCTEAM
  • August 2010 Webcast and QA 2010/08/12 MSRCTEAM
  • Update on the publicly disclosed Win32k.sys EoP Vulnerability 2010/08/10 MSRCTEAM
  • August 2010 Security Bulletin Release 2010/08/10 MSRCTEAM
  • August 2010 Bulletin Release Advance Notification 2010/08/05 MSRCTEAM
  • August 2010 Out-of-Band Security Release Webcast Q&A 2010/08/03 MSRCTEAM

RSS Network

  • How to get started with a blade system 2010/09/02
  • Opsview Community Edition review 2010/09/02
  • Cacti review 2010/09/02
  • Brocade adds 100G Ethernet to switch and router line 2010/09/02
  • Is Cisco making a play for Skype? 2010/08/31
  • Skype launches Skype Connect enterprise voice calling 2010/08/31
  • Sonos ZonePlayer S5 review 2010/08/25

Daily Posts

September 2010
S M T W T F S
« Aug    
 1234
567891011
12131415161718
19202122232425
2627282930  
Creative Commons License
The Infosecurity.US Blog is licensed under a Creative Commons Attribution-Share Alike 3.0 United States License.

Find the best blogs at Blogs.com.

Creative Commons Attribution-Share Alike 3.0 U.S. License ©2010 Infosecurity.US

Subscribe