[SecurityRatty] tag: iowa

Social Security numbers exposed on Iowa land-records Web site

Fri, 05 Sep 2008 09:00:00 +0000

Documents with Social Security numbers have been available since 2005 on a Web site that contains land records filed in Iowa counties, although access has now been restricted.

Q&A: Iowa's tragic lesson in business continuity

Wed, 09 Jul 2008 09:00:00 +0000

Deb Hale, security administrator at Iowa-based telecommunications provider Long Lines, discusses the most important things a company can do to survive what Mother Nature decides to unleash.

Employment records in a New Mexico dumpster

Thu, 05 Jun 2008 19:32:53 +0000

Technorati Tag: Security Breach

Date Reported:
6/3/08

Organization:
State of New Mexico

Contractor/Consultant/Branch:
Department of Workplace Solutions

Victims:
Employees and job applicants

Number Affected:
Unknown

Types of Data:
"employment records with names and Social Security numbers"

Breach Description:
"ROSWELL, N.M.—State documents with names and Social Security numbers were thrown into a trash bin behind the state Department of Workforce Solutions office in Roswell."

Reference URL:
The Associated Press via Las Cruces Sun-News
Roswell Daily Record
KRQE Channel 13 News

Report Credit:
Roswell Daily Record

Response:
From the online sources cited above:

Four boxes of manilla folders with documents containing names and social security numbers were mistakenly thrown into a trash bin Monday behind the New Mexico Department of Workforce Solutions office near Main and Bland streets.
[Evan] New Mexico does not currently have a data breach disclosure law on the books. The state is one of eleven that do not. The others are Alaska, South Dakota, Iowa, Missouri, Kentucky, West Virginia, Virginia, Mississippi, Alabama, and South Carolina.

Employees at Savedra's Tienda, a nearby business, contacted County Commissioner Dick Taylor and Magil Duran of the New Mexico Department of Workforce Solutions to help remove the documents from the bin.
[Evan] This is what a model citizen does. How many people are model citizens?

papers were flying out of the Dumpster they were inside.

Duran said the Roswell office of the Department of Workforce Solutions recently moved to a new location and a janitor inadvertently threw the documents in the bin on Monday.
[Evan] Not a good excuse.

"It was a misunderstanding," Duran said.

After arriving at the scene, Duran and Taylor sifted through the bins and retrieved the files.

Duran said he would shred the files immediately.
[Evan] The files should be inventoried and their destruction should be certified.

Taylor said the files looked like employment records with hours worked along with names and social security numbers printed on them.

"That's the bad thing," Taylor said. "They should have been shredded and not dumped in the trash. The state needs to be more careful with records like that."

"We do have a standard procedure," said Carrie Moritomo of the department. "We are currently reevaluating that and making sure all of our field staff offices are aware of what that policy is."
[Evan] A "standard procedure" ain't worth the paper it's written on if nobody knows about it or follows it.

Commentary:
I doubt that this is an isolated incident and I doubt that the agency has a sound information security strategy.

Past Breaches:
Unknown

Personal information of 103,000 doctors from 11 states posted to web site

Mon, 03 Mar 2008 06:19:48 +0000

Technorati Tag: Security Breach

Date Reported:
2/27/08

Organization:
Health Net, Inc.

Contractor/Consultant/Branch:
Health Net Federal Services

Victims:
Doctors in eleven states*

*The states involved include Wisconsin, Michigan, Illinois, Indiana, Ohio, Pennsylvania, Tennessee, Iowa, Missouri, Kentucky and West Virginia.

Number Affected:
103,000

Types of Data:
Names, Social Security numbers, work addresses, and national insurance identification numbers.

Breach Description:
Heath Net Federal Services inadvertently posted sensitive personal information to a publicly accessible web server. The breach affects as many as 103,000 doctors from eleven states.

Reference URL:
WEAU Channel 13 News
WDTN Channel 2 News
Radio Iowa news story

Report Credit:
WEAU Channel 13 News

Response:
From the online sources cited above:

Health Net Federal Services representatives told us Wednesday night the company notified 103-thousand doctors in eleven states that their personal information was openly posted on a company website.
[Evan] I assume that this was a publicly accessible web site, but this isn't clear.

The company is a government contractor that deals with health insurance for military families and veterans.

The states involved include Wisconsin, Michigan, Illinois, Indiana, Ohio, Pennsylvania, Tennessee, Iowa, Missouri, Kentucky and West Virginia.

Director of Communications, Molly Tuttle, says the information was accidently posted to the website for about two months, and involved doctors who had filed a claim with the company between September of 2005, and September of 2006.
[Evan] I wonder how it was detected. Two months is plenty of time for search bots to index the site if it was publicly accessible.

The mistake was attributed to human error and software problems.
[Evan] Both?

Health Net Federal Services is now paying for a year's worth of credit monitoring for the doctors involved, and is not aware of any circumstances where the personal information of any doctor has been obtained or used illegally.
[Evan] Monitoring for one year, Social Security number for life.

"Protecting the privacy of our providers’ personal information is a critical priority at Health Net Federal Services. Unfortunately, in late December 2007, we were notified of potential vulnerability for us that provider data was accessible through our Web site that included social security numbers of a limited group of network and non-network providers.

Since that time, Health Net has sealed this data gap, notified the providers whose data was potentially accessible, and reported the incident to our customer.
[Evan] What "data gap"? They didn't "seal" the employee that made the mistake, did they?

In an abundance of caution, Health Net hired outside IT security experts to test our security measures and found them sound.

We regret any alarm this may have caused

Some doctors have complained in emails obtained by NewsCenter 13, that credit monitoring for a year isn't enough.

Commentary:
In the WEAU article, the Medical Director for the Western Division of Marshfield Clinic, Dr. Greg Burnett mentions how the clinic is pushing for the use of national insurance numbers (NPIs) instead of Social Security numbers and other personal information. This is a great idea! Today, doctors are required to give their personal information to insurance companies.

Also, Burnett now says in light of the recent online mistake, Marshfield Clinic is trying to decide if ending the business relationship with Health Net Federal Services, would better protect its doctors in the future.

According to the report there were two causes to this breach, "human error and software problems". It's hard to believe that it was both at the same time. Humans will always be humans, and we will always make mistakes.

Past Breaches:
January, 2008 - 5,000 Health Net employees affected by stolen laptop

Iowa State student information exposed for 6 years?

Thu, 07 Feb 2008 11:24:20 +0000

Technorati Tag: Security Breach

Date Reported:
2/7/08

Organization:
Iowa State University

Contractor/Consultant/Branch:
None

Victims:
Former students who attended course "ME 325" during the spring of 2001

Number Affected:
26

Types of Data:
Names, Social Security numbers, email addresses, scores, and grades.

Breach Description:
An Iowa State University professor inadvertently posted confidential personal information belonging to former students through the school's publicly accessible web server (iastate.edu).

Reference URL:
The Des Moines Register online story
SSNBreach.org Press Release

Report Credit:
SSNBreach.org and the Des Moines Register, with a special thanks to "Coop" a Breach Blog reader.

Response:
From the online source cited above:

An Iowa State University professor posted the names, Social Security numbers, scores, and grades of 26 former students who had taken the course "ME 325" in the spring of 2001.
[Evan] I think that this is presumed. There is no definitive evidence that the professor, Gloria Starns actually posted the information herself (at least how I read it). Allowing professors to post information to a publicly accessible Internet site makes me feel a little uneasy (risky).

The information, along with e-mail addresses was posted on Iowa State University servers, undetected since January 10, 2002

The Iowa State University indicates that ISU does not have a regular policy of searching text and non-text based files on public servers to determine whether they may contain sensitive information, according to the press release.
[Evan] Let's hope that this is likely to change.

Commentary:
1. Social Security numbers in the hands of a professor? There is no good reason for a professor to have access to this information. The information in this breach was/is seven years-old, and the school now uses "random university identification number"s, so it appears as though the school has taken some steps to protect confidential information.

2. I hope that computer system change control for key systems has been implemented that would disallow a professor or any other person not specifically trained, to post public information. Again, this was seven years ago allegedly, so maybe it is safe to assume that things have changed?

Take a peek at the Iowa State Code of Ethics Policy and feel free to comment.

Past Breaches:
Unknown

University of Iowa inadvertently posts personal data to the Internet

Tue, 15 Jan 2008 08:25:40 +0000

Technorati Tag: Security Breach

Date Reported:
1/11/08

Organization:
University of Iowa

Contractor/Consultant/Branch:
None

Victims:
May 2006 College of Engineering graduates

Number Affected:
216

Types of Data:
Names, Social Security numbers and grade point averages (GPAs)

Breach Description:
A list containing sensitive personal information belonging to University of Iowa, May 2006 College of Engineering graduates was inadvertently saved to a server accessible via the Internet. The file was exposed for several months before an external party alerted the university of the breach.

Reference URL:
The Des Moines Register Story
KCRG - TV News Story

Report Credit:
Erin Jordan, Register Iowa City Bureau

Response:
From the online sources cited above:

The University of Iowa is alerting 216 former students that their names, Social Security numbers and grade point averages were inadvertently posted on the Internet for several months.

The list of May 2006 College of Engineering graduates was put in the wrong place on a file server and ended up on the Internet, said U of I Information Technology Security Officer Jane Drews.
[Evan] Can anyone just publish files and other information to the Internet at the University of Iowa? Typically, web servers should be segregated from the internal network and access restricted to those people that are authorized to publish content. Content is published after testing and change control. Does any of this exist here?

Someone outside the university spotted the list earlier this month and alerted the U of I, Drews said. The list was then removed, she said.
[Evan] This would be embarrassing to me.

U of I technology staff believe there is little risk that the information was or will be misused.
[Evan] Should victims trust the university's risk assessment?

they are advising the students to take precautions to protect their financial information by placing "fraud alerts" on their files with the three major credit bureaus.

The college apologized for the recent incident, has corrected the problem, and said it would answer students' questions and provide assistance, if needed. To contact Drews, e-mail her at jane-drews@uiowa.edu.

Commentary:
On one hand this breach can be justified as a simple human error, on the other hand I wonder if this breach is the result of something more. People need to be trained properly and be reminded constantly about information security risk and best practices, especially if they are authorized to work with confidential information.

I also question why Social Security numbers were necessary in the file in the first place. I hope the University of Iowa does not still use Social Security numbers as student identifiers. It would have been nice if the university gave a little more information about how the plan on preventing similar occurrences in the future.

Past Breaches:
October, 2007 - Stolen University of Iowa laptop exposes philosophy students

Iowa DNR loses personal information on 7,000

Wed, 19 Dec 2007 11:22:00 +0000

Technorati Tag: Security Breach

Date Reported:
12/11/07

Organization:
State of Iowa

Contractor/Consultant/Branch:
Department of Natural Resources (DNR)
Salem Associates

Victims:
Waste water and drinking water worker permit applicants

Number Affected:
7,000

Types of Data:
Applicant data including names, addresses, phone numbers, and Social Security numbers.

Breach Description:
An employee of Salem Associates, a contractor working for the Iowa DNR lost a thumb (flash) drive containing sensitive personal information belonging to DNR waster water and drinking water permit and certification applicants.

Reference URL:
KCRG-TV News Story
Radio Iowa News Story
The Des Moines Register

Report Credit:
Mike Wagner, Managing Editor with KCRG-TV News

Response:
From the online sources cited above:

A contractor for the Iowa Department of Natural Resources lost a computer flash drive containing the names and Social Security numbers of more than 7,000 Iowans

The information on the flash drive was about people who operate water and sewage treatment plants, landfills and well-drilling operations.

the records, kept by Salem Associates of Des Moines on behalf of the DNR, were related to the certifications.
[Evan] Salem Associates is a an IT services contractor for the DNR. You would think that a company that makes a living off of IT would know better than to copy un-encrypted confidential data to a thumb drive.

Salem told DNR managers on Dec. 5 that the flash drive…went missing on Nov. 21 and probably ended up in the trash at the department's office complex in Des Moines.

Liz Christiansen, deputy director of the DNR, sent a letter to the affected people on Friday.

The records included information about retirees in addition to active workers.

Rick Hindman, an information technology supervisor at the DNR, said that Iowa government policy bans the use of flash drives to back up sensitive information but that the DNR's policy is not as specific.
[Evan] A non-specific policy is doomed to fail as is the entire program built around it.

The department was already reviewing its security policies when the Salem incident happened and probably will ban the use of flash drives in similar situations, he said.
[Evan] Probably? If the Iowa DNR decides not to ban them, I hope they at least decide to control them (encrypt).

State law and U.S. Environmental Protection Agency rules often require that Social Security numbers be listed on the databases, Hindman said.
[Evan] Is this true? Ugh, outdated regulation and bureaucracy.

He said it is unlikely that people could access the records even if they had the flash drive. That's because the file was a backup copy that would have to be restored, meaning the user would need the same program used to create the file - a program that isn't on many home or office computers. "The information is not encrypted, but it isn't very accessible," Hindman said.
[Evan] Just because the data "isn't very accessible" does not mean it is secure and it does not excuse the Iowa DNR from treating confidential data in risky manner. This is nothing more than an attempt to minimize the situation and draw attention away from the true problem(s).

He said the state has not received any reports of fraud or identity theft and doubts that it will.

The DNR is paying for a year's worth of credit-monitoring service for the workers. The workers have been told to contact the Iowa attorney general's office if they suspect fraud or identity theft.
[Evan] One year of credit monitoring may help all of those people who have expriring Social Security numbers. Do you have an expiring Social Security number? I don't.

"We sincerely apologize for the inconvenience this situation causes you and reiterate our commitment to achieving and maintaining information technology security systems," Christiansen said in her letter.

Victim Reaction:
"We were told the state system is secure and there is no way anyone could hack into it," - Scott Smith of the Boone County landfill and past president of the state landfill operators association.

"They don't have to hack to get the information - they are handing it out on flash drives." - Scott Smith

Commentary:
Breaches like this irk me. An employee working for an IT contractor for some reason thought it would be OK to copy confidential data onto a thumb drive. Thumb drives are inherently an information security nightmare if they are not properly controlled. They are small, high-capacity and easily lost or stolen. Some of the options we have explored in the past include disabling USB ports and employing technological controls (check out TrueCrypt, BeCrypt Connect Protect, GFI EndPointSecurity and Pointsec to name just a few).

According to a May, 2007 Information Week article, "Thumb Drives Replace Malware As Top Security Concern"

Why is the DNR policy "not as specific"?

Past Breaches:
Unknown