Sunshine State Loses Quarter Million Social Security Numbers
National ID Watch has revealed a State of Florida Agency has managed to lose a quarter million IDs and their attendant US Social Security Numbers. Evidence now implicates the State of Florida Agency for Workforce Innovation (AWI), in, what we believe, was a completely avoidable snafu. Apparently, the Agency published the personal employment information and more than 250,000 social security numbers online for at least 30 days (maybe longer). The information posted on the Agency’s web site included social security numbers of at least 50 minors. More information from the National ID Watch posting can be examined after the page jump.
From National ID Watch: “The Florida Agency for Workforce Innovation (AWI, or Florida Jobs– floridajobs.org) posted employment information and more than a quarter million social security numbers online for at least one month, and perhaps longer. The information included social security numbers of at least fifty children.
Individuals who participated in the Florida Jobs One-Stop Program since 2002 may be at risk, and should go to National ID Watch (http://www.nationalidwatch.org/) to find out whether they were affected.
In the course of developing a new employment website, AWI posted several thousand Excel and text files containing millions of employment records. These records contained:
- Between 255,917 and 259,193 Names and Social Security Numbers.
- 51 breached social security numbers belonged to children
Although some of the files have been on the server for more than six years, AWI officials insist that the server was only connected to the internet for about a month. Whether social security numbers were online for a month or six years, they had no passwords, were not encrypted, and were not behind a firewall. Anyone with an internet connection could access the names and social security numbers.
The Liberty Coalition asked AWI the following questions:
- Why did the Agency for Workforce Innovation store sensitive Excel files on a server at all?
- Why was this website left open to the public for more than a month, undetected by AWI’s IT department?
- Why were the files on the server not behind a firewall, password protected or encrypted?
- How many other servers store sensitive personal information, and how many of those are available to the public right now?
- How many AWI employees have access to clients’ social security numbers, and do they all need access?
- How do you plan to train employees to appropriately handle sensitive personal information?
- Do you have a regular schedule of scanning your internal networks and external servers for personal information? If so, why was this breach not discovered?
- Does the Agency for Workforce Innovation intend to pay for identity theft protection services for the victims of this breach?
- Will the Agency notify victims by mail?
In response to these questions, an official answered in part, “The Agency takes these matters very seriously, and the security of our customers’ confidential information is a number one priority. Although this was an isolated incident which was quickly discovered and corrected, we are examining the details of this issue very closely, and based on our findings, will implement any necessary system modifications and will take appropriate action in accordance with applicable law.” The agency has or will take the following steps:
- The Agency for Workforce Innovation quickly removed access to the sensitive information within hours of becoming aware of the breach.
- The Agency quickly coordinated with search engines to remove cached versions of the documents from the internet.
- The Agency will attempt to notify the victims of this breach by mail.
- The Agency has hired a third party to assess network vulnerability.
- The Agency is working with the Florida Department of Law Enforcement and the Office of the Attorney General.
- The Agency pledges to learn from its mistakes.
The Liberty Coalition commends the agency for these responsible steps, but also notes the following:
- AWI has not offered to protect victims with identity theft protection services.
- AWI relied on public search engines and a member of the public 800 miles away to discover the breach.
- The Agency should destroy the information, not just restrict access.
- We don’t know how many other AWI servers are currently exposing personal information.
- We question the need for AWI to collect minors’ social security numbers.
- AWI has not indicated how many employees have access to clients’ social security numbers, and whether these employees require access to fulfil their job descriptions.
- AWI does not appear to regularly scans its networks for sensitive personal information.
The Agency for Workforce Innovation has taken the files offline, though it’s too early to tell whether the Florida Jobs breach has resulted in identity theft.
About NationalIDWatch.org
National ID Watch is a search engine for personal information breaches. Sponsored by the Washington, DC non-profit Liberty Coalition (http://www.libertycoalition.net), NationalIDWatch.org provides more than a million free personalized Identity Exposure Reports™ as a public service.
Each Identity Exposure Report (IXR) documents what types of personal information were exposed (such as Social Security Numbers, Birth Dates, Addresses, etc.), without revealing them. Each IXR also details the situation surrounding each exposure, and contact information of those responsible for the breach. Armed with this information, victims can further investigate, take action, or correct harm.
![Reblog this post [with Zemanta]](http://img.zemanta.com/reblog_b.png?x-id=cbe29512-b5d1-4765-ae97-8289ba401624)
