[SecurityRatty] tag: matthew

Waukesha County job applicant data exposed in mailing

Tue, 15 Jul 2008 04:07:06 +0000

Technorati Tag: Security Breach

Date Reported:
7/13/08

Organization:
Waukesha County, Wisconsin

Contractor/Consultant/Branch:
Crivello Carlson, S.C.

Victims:
Job applicants from the year 2006

Number Affected:
"more than 130"

Types of Data:
Job applications including, names, addresses, job and education history, salary, and Social Security numbers

Breach Description:
"More than 130 people who applied for a job with Waukesha County in 2006 had their Social Security numbers, employment and salary information, addresses and phone numbers and other personal information released to one of the women who applied for the job. "

Reference URL:
Milwaukee Journal Sentinel
New Richmond News

Report Credit:
Raquel Rutledge, Milwaukee Journal Sentinel

Response:
From the online sources cited above:

Taunya Thomas was horrified when she got a call from a stranger who knew almost everything about her.

The woman on the phone told Thomas she knew her Social Security number, where she lived and worked, how much money she made and where she went to high school and college. She rattled them off, not missing a single digit or fact.

She promised she wasn't going to use the information.
[Evan] Yeah. The government body that exposed the information made the promise that "your Social Security number will remain confidential". So much for promises.

She was calling, she said, because she wanted Thomas and others to know where she had gotten it.

She hadn't stolen it.

Waukesha County sent it to her in the mail, along with the same personal information for more than 130 other people who had all applied for a job with the county in 2006.
[Evan] What's with Wisconsin and mailing confidential information (in error)? This is the third mailing error reported on The Breach Blog coming out of Wisconsin this year.

The woman on the phone, Bernadine Matthews, too had applied for the position as an economic support specialist.

This is Matthews displayed holding the applications. Source: Milwaukee Journal Sentinel

When she didn't get it, she filed a complaint with the Equal Employment Opportunity Commission.

As part of the complaint and the investigation, the EEOC requested copies of all the applications.

The law firm representing the county, Crivello Carlson, sent the applications to Matthews.
[Evan] Really? Any second thoughts about the fact that this may put innocent people at risk?

Waukesha County tried to reclaim the documents sent to Matthews, threatening to get a search warrant and send a lawyer to her house, Matthews said.

When Matthews refused, they insisted she bring the documents to the law firm so they could white-out the private information in the applications.

Again, Matthews refused.
[Evan] At what point does Matthews cross a line. The confidential information on those job applications does NOT belong to her. In my opinion, she has no right to maintain possession of the information. For Matthews to knowingly maintain information that does not belong to her almost seems criminal to me.

The applications would be critical to her discrimination suit, she thought.
[Evan] So risk the disclosure of senstive information belonging to 130 people for your own benefit? If not criminal, it is certainly selfish.

She quickly hired an attorney, copied the documents and sent a set back to the county. She keeps her copies in an oversize safe-deposit box at her bank, she said.
[Evan] Who authorized her to make copies? The data owners (victims) certainly did not.

"I'm not going to be like the county," Matthews said. "I'm going to protect the privacy of the information in this box. Obviously they didn't give a darn about the applicants' privacy."

The Waukesha County employment application specifically states it will protect Social Security numbers.

"Your Social Security Number will remain confidential and will not be copied or released but is required for applicant tracking purposes," the application reads.

Ray Pollen, an attorney with Crivello Carlson, at first said it was no mistake that Matthews received the uncensored applications.
[Evan] So Mr. Pollen sent the information on purpose. Did he stop to think that there might be a problem here? Did it occur to anyone that they should redact the most sensitive information such as Social Security numbers, or names?

He said it was required under federal law that all parties in an EEOC discrimination complaint receive copies of information requested by the agency investigating. He couldn't point to the specific provision.
[Evan] Does a specific provision exist? I cannot think of a single purpose that a Social Security number would serve in this case.

Several days later, Pollen said the EEOC had no such requirement.

"The EEOC is silent on the issue," he said.

Instead it's the state's Equal Rights Division that requires all parties be copied on information requested by the division but even that provision doesn't mandate that attachments - such as the applications - be included. And, Matthew's case was not filed with the state.

"We followed the state's protocol," Pollen said.

P.I. asked: So anyone who applies for a job with Waukesha County could have their private information disclosed to a non-governmental third-party?

Pollen answered: "We responded to a federal agency's request for information. . . . In my opinion there was no violation of any law or procedure."
[Evan] Let's give Mr. Pollen the benefit of the doubt. Let's say that there was no violation of any law or procedure here. There certainly seems to be a violation of trust, a violation of good judgment, and a violation of privacy. The "if the law don't state it, then I must be able to do it" mentality is one of the reasons we have so many laws. Maybe if we used a little more common sense.

Taunya Thomas called the release of her information to a stranger shocking. She said at a minimum the county should have notified her that her information had been compromised.

"I'm devastated that it's that easy for my information to be disclosed," she said. "For someone to call me and tell me where I worked, where I went to school, recite my Social Security number verbatim to me, that's scary."

Commentary:
This is a very frustrating breach to read about. It is frustrating when someone knowingly discloses confidential information and then tries to justify it. Equally frustrating is when a person that has no right to the information refuses to part with it. In the middle of all of this are 130 innocent people.

I do not claim to know half as much about the law as Mr. Pollen does. His actions may be well within his legal rights for all I know.

Past Breaches:
Unknown

Hacker gets 41 months for running rogue botnet

Thu, 12 Jun 2008 09:00:00 +0000

Robert Matthew Bentley of Florida must also pay $65,000 in restitution for installing a botnet on Newell Rubbermaid's corporate network.

San Quentin visitor and volunteer information lost

Mon, 31 Mar 2008 07:14:31 +0000

Technorati Tag: Security Breach

Date Reported:
3/29/08

Organization:
State of California

Contractor/Consultant/Branch:
Department of Corrections and Rehabilitation
San Quentin State Prison

Victims:
Volunteers and visitors

Number Affected:
3,500+

Types of Data:
"names, birth dates and driver's license numbers"

Breach Description:
"A flash memory drive containing names, birth dates and driver's license numbers of more than 3,500 people who either volunteered or visited San Quentin State Prison in a group tour has been lost, a prison official said Friday."

Reference URL:
The San Francisco Chronicle
KCBS 740 AM News

Report Credit:
Matthew Yi, The San Francisco Chronicle

Response:
From the online sources cited above:

A flash memory drive containing names, birth dates and driver's license numbers of more than 3,500 people who either volunteered or visited San Quentin State Prison in a group tour has been lost, a prison official said Friday.

The flash drive was used to move the data each evening from the prison's administrative office near the parking lot to computers at the two entrance gates to the facility to allow guards to identify volunteers or groups, such as college students, that tour the prison, said Samuel Robinson, a San Quentin spokesman.
[Evan] Huh? How about a network employing encryption? They have this new technology called WPA2 (Wi-Fi Protected Access 2). It would be much more efficient, secure and cost effective to network this securely.

"What happens is that we have to transport that information out to individual areas where we let people through" onto prison grounds, he said. "It's our security measure to walk the flash drive."

The flash drive did not contain Social Security numbers, but the personal information on visitors was not encrypted, he said, adding that the prison has since decided to encrypt the data.
[Evan] It's too bad that it took a breach before prison officials noticed the risk of carrying confidential information on unencrypted mobile devices. Going forward this is a good decision by the prison, but this is what we call "reactive security".

Prison officials have not received any reports of identify theft tied to this incident

Sen. Gloria Romero, D-Los Angeles, chairwoman of the Senate Public Safety Committee, criticized the Corrections Department for losing such sensitive information, and said she will call prisons secretary James Tilton to address the issue.

"This is how cavalier the Corrections Department can be with private information," she said. "There has been a breach of security."

The unit was discovered missing March 4 and a preliminary investigation shows that it was last used on March 3, Robinson said. It's yet unclear how the flash drive was lost or if it may be somewhere on prison grounds, he said. There is no indication that the flash drive was stolen for malicious reasons, such as identity theft

Prison officials recently sent out letters alerting the individuals whose information is believed to be on the flash drive.

Anyone who has visited San Quentin and is concerned their personal information could be on the flash drive may call Sgt. Rudy Luna, administrative assistant, at (415) 455-5000 or Laura Bowman, community partnership manager, at (415) 454-1460, extension 5400.

Commentary:
Thankfully, the flash drive did not contain Social Security numbers. Can names, addresses and driver's license numbers be used for identity theft, directly?

Carrying confidential information on mobile devices is risky. Not encrypting it is reckless.

Past Breaches:
Unknown

NSM-Console and HeX update

Thu, 10 Jan 2008 09:50:00 +0000

While researching the HeX System for the pending February toolsmith, I was extremely pleased to discover NSM-Console, from Matthew Lee Hinman. I've not yet seen such an efficient, useful, all encompassing framework for offline packet analysis. NSM-Console includes modules for:
# aimsnarf
# ngrep (gif/jpg/pdf/exe/pe/ne/elf/3pg/torrent)
# tcpxtract
# tcpflow
# chaosreader
# bro-IDS
# snort
# tcpdstat
# capinfos
# tshark
# argus
# ragator
# racount
# rahosts
# hash (md5 & sha256)
# ra
# honeysnap
# p0f
# pads
# fl0p
# iploc
Consider giving both HeX System and the included NSM-Console an immediate look.