[SecurityRatty] tag: milwaukee

Waukesha County job applicant data exposed in mailing

Tue, 15 Jul 2008 04:07:06 +0000

Technorati Tag: Security Breach

Date Reported:
7/13/08

Organization:
Waukesha County, Wisconsin

Contractor/Consultant/Branch:
Crivello Carlson, S.C.

Victims:
Job applicants from the year 2006

Number Affected:
"more than 130"

Types of Data:
Job applications including, names, addresses, job and education history, salary, and Social Security numbers

Breach Description:
"More than 130 people who applied for a job with Waukesha County in 2006 had their Social Security numbers, employment and salary information, addresses and phone numbers and other personal information released to one of the women who applied for the job. "

Reference URL:
Milwaukee Journal Sentinel
New Richmond News

Report Credit:
Raquel Rutledge, Milwaukee Journal Sentinel

Response:
From the online sources cited above:

Taunya Thomas was horrified when she got a call from a stranger who knew almost everything about her.

The woman on the phone told Thomas she knew her Social Security number, where she lived and worked, how much money she made and where she went to high school and college. She rattled them off, not missing a single digit or fact.

She promised she wasn't going to use the information.
[Evan] Yeah. The government body that exposed the information made the promise that "your Social Security number will remain confidential". So much for promises.

She was calling, she said, because she wanted Thomas and others to know where she had gotten it.

She hadn't stolen it.

Waukesha County sent it to her in the mail, along with the same personal information for more than 130 other people who had all applied for a job with the county in 2006.
[Evan] What's with Wisconsin and mailing confidential information (in error)? This is the third mailing error reported on The Breach Blog coming out of Wisconsin this year.

The woman on the phone, Bernadine Matthews, too had applied for the position as an economic support specialist.

This is Matthews displayed holding the applications. Source: Milwaukee Journal Sentinel

When she didn't get it, she filed a complaint with the Equal Employment Opportunity Commission.

As part of the complaint and the investigation, the EEOC requested copies of all the applications.

The law firm representing the county, Crivello Carlson, sent the applications to Matthews.
[Evan] Really? Any second thoughts about the fact that this may put innocent people at risk?

Waukesha County tried to reclaim the documents sent to Matthews, threatening to get a search warrant and send a lawyer to her house, Matthews said.

When Matthews refused, they insisted she bring the documents to the law firm so they could white-out the private information in the applications.

Again, Matthews refused.
[Evan] At what point does Matthews cross a line. The confidential information on those job applications does NOT belong to her. In my opinion, she has no right to maintain possession of the information. For Matthews to knowingly maintain information that does not belong to her almost seems criminal to me.

The applications would be critical to her discrimination suit, she thought.
[Evan] So risk the disclosure of senstive information belonging to 130 people for your own benefit? If not criminal, it is certainly selfish.

She quickly hired an attorney, copied the documents and sent a set back to the county. She keeps her copies in an oversize safe-deposit box at her bank, she said.
[Evan] Who authorized her to make copies? The data owners (victims) certainly did not.

"I'm not going to be like the county," Matthews said. "I'm going to protect the privacy of the information in this box. Obviously they didn't give a darn about the applicants' privacy."

The Waukesha County employment application specifically states it will protect Social Security numbers.

"Your Social Security Number will remain confidential and will not be copied or released but is required for applicant tracking purposes," the application reads.

Ray Pollen, an attorney with Crivello Carlson, at first said it was no mistake that Matthews received the uncensored applications.
[Evan] So Mr. Pollen sent the information on purpose. Did he stop to think that there might be a problem here? Did it occur to anyone that they should redact the most sensitive information such as Social Security numbers, or names?

He said it was required under federal law that all parties in an EEOC discrimination complaint receive copies of information requested by the agency investigating. He couldn't point to the specific provision.
[Evan] Does a specific provision exist? I cannot think of a single purpose that a Social Security number would serve in this case.

Several days later, Pollen said the EEOC had no such requirement.

"The EEOC is silent on the issue," he said.

Instead it's the state's Equal Rights Division that requires all parties be copied on information requested by the division but even that provision doesn't mandate that attachments - such as the applications - be included. And, Matthew's case was not filed with the state.

"We followed the state's protocol," Pollen said.

P.I. asked: So anyone who applies for a job with Waukesha County could have their private information disclosed to a non-governmental third-party?

Pollen answered: "We responded to a federal agency's request for information. . . . In my opinion there was no violation of any law or procedure."
[Evan] Let's give Mr. Pollen the benefit of the doubt. Let's say that there was no violation of any law or procedure here. There certainly seems to be a violation of trust, a violation of good judgment, and a violation of privacy. The "if the law don't state it, then I must be able to do it" mentality is one of the reasons we have so many laws. Maybe if we used a little more common sense.

Taunya Thomas called the release of her information to a stranger shocking. She said at a minimum the county should have notified her that her information had been compromised.

"I'm devastated that it's that easy for my information to be disclosed," she said. "For someone to call me and tell me where I worked, where I went to school, recite my Social Security number verbatim to me, that's scary."

Commentary:
This is a very frustrating breach to read about. It is frustrating when someone knowingly discloses confidential information and then tries to justify it. Equally frustrating is when a person that has no right to the information refuses to part with it. In the middle of all of this are 130 innocent people.

I do not claim to know half as much about the law as Mr. Pollen does. His actions may be well within his legal rights for all I know.

Past Breaches:
Unknown

Metro Round-Up: Delays and New Beginnings

Mon, 23 Jun 2008 06:54:43 +0000

Milwaukee, Wisc., network likely won't expand: Midwest Fiber Networks spent $700,000 to build a pilot network that they can't fund citywide. They want anchor tenants for the $20m network, and can't get the city signed on. The company will continue running the network, though, and is looking into alternatives. I always thought a fiber provider had a great win in having their backhaul to operate the many Wi-Fi nodes needed.

Nashua, N.H.'s downtown network may never launch: The local paper says, c'mon, already. The network was to span a 1.2-mi stretch of the main street and use donations. Deadlines have come and gone for a year.

Covad may launch San Carlos, Calif., test network: The company know for wired installations as the last-man-standing among competitive DSL and other digital line providers nationwide, is looking for city access to build a square mile test area. This is the latest wrinkle in trying to get Wireless Silicon Valley underway after the consortium was unable to raise funds, and lead-partner Azulstar stepped back or was replaced.

Lexington, Kent., may relaunch shuttered network: The city bought SkyTel's network assets for $10 over a year ago--10 dollars, not 10 plus any zeroes--and the city may partner with the University of Kentucky to build a public-safety network. The university would manage the network. It's unclear from the article if any public access would be included.

Burglary at Milwaukee tax & accounting firm exposes 600

Wed, 27 Feb 2008 13:36:49 +0000

Technorati Tag: Security Breach

Date Reported:
2/22/08

Organization:
Kurt Bischoff Tax & Accounting, Inc.

Contractor/Consultant/Branch:
None

Victims:
Clients

Number Affected:
~600

Types of Data:
Names, addresses, dates of birth, Social Security numbers and bank account numbers.

Breach Description:
The office of Kurt Bischoff Tax & Accounting, Inc. of Milwaukee, Wisconsin was burglarized on February 21st, 2008 and a desktop computer was stolen. The computer contained sensitive personal information belonging to clients of the firm.

Reference URL:
Wisconsin Office of Privacy Protection notification

Report Credit:
The Wisconsin Department of Agriculture, Trade & Consumer Protection

Response:
From the online source cited above:

Approximately 600 individuals had their information compromised.

The office of Kurt Bischoff Tax & Accounting, Inc. was burglarized on February 21, 2008 and had a desktop computer stolen.

The computer had personally identifiable information on it, such as names, addresses, birthdates, social security numbers, and bank account numbers.

There is a police report on file.

If you are one of those affected, place a fraud alert on your credit report, as explained in our fact sheet on the data breach page titled, “Data Breach: What to Do if it Happens to You,” which also provides additional steps to take to protect yourself.
[Evan] "Data Breach: What to Do if it Happens to You" is a good read offering useful tips.

Commentary:
You may be asking why confidential customer (client) records were on a desktop computer. You may also be asking yourself why the records were not encrypted. Obviously accountants work with very sensitive information that requires added levels of protection.

Last year I was talking with my neighbor, who is a partner in an accountant firm, about how his firm protects client information. I was surprised by how little they do and how freely confidential information flowed into, within, and out of his company. I found it ironic that his company often conducted SAS 70 (not that SAS 70 attests to any real level of security) audits too.

The notification was lightning fast. The breach occurred on 2/21 and the Wisconsin Department of Agriculture, Trade & Consumer Protection was informed on 2/22.

Past Breaches:
Unknown

Sensitive Milwaukee County information posted to Web

Wed, 13 Feb 2008 14:06:24 +0000

Technorati Tag: Security Breach

Date Reported:
2/11/08

Organization:
Milwaukee County (Wisconsin, USA)

Contractor/Consultant/Branch:
Citizens for Responsible Government Network

Victims:
Persons involved with the county

Number Affected:
Unknown

Types of Data:
"patient and legal records"

Breach Description:
Milwaukee County officials released a copy of their "county spending database" to the activist group Citizens for Responsible Government Network that contained sensitive personal information belonging to various persons who had contact with the county. Citizens for Responsible Government Network agreed to remove the confidential information at the request of county officials, but the information had been posted for as many as six (6) days.

Reference URL:
Milwaukee Journal Sentinel story
United Press International story

Report Credit:
Milwaukee Journal Sentinel

Response:
From the online sources cited above:

Citizens for Responsible Government Network agreed to dump descriptions from some 6,900 bills that county officials feared included names of people who had court-ordered psychiatric exams, other patient service information and guardianship case details.

The information had been displayed on the group's Web site for six days, after CRG obtained a database on all county spending for the last two years.

CRG pulled a few hundred descriptions on court spending from its Web site over the weekend, after county Clerk of Court John Barrett complained about the release.

The group on Monday trashed thousands more county records CRG had displayed that came from the Sheriff's Department, the House of Correction, the district attorney's office, the Department of Health and Human Services, the Personnel Review Board and the Division of Economic and Community Development.

The county will supply the group with an edited version of the same county spending database, after department heads get a chance to better scrutinize the records, said Cynthia Archer, acting director of the county's Department of Administrative Services.

On Monday, Archer said she "questioned the wisdom" of Barrett's office forwarding confidential information included in its vendor database in response to a public record request by the group.
[Evan] What wisdom?

County Executive Scott Walker said he had not heard of any complaints from anyone whose confidential information was placed on the Internet for nearly a week.

Barrett said he was happy the records that identified court-ordered psychiatric exams and guardianship details were removed from the site but still worried about whether they had been found by any browsers. That type of information is generally confidential.
[Evan] I am not sure if this information was indexable by the various search engines, but it should definitely be explored and attended to, if necessary.

"Now I have to concern myself with whether we can put the toothpaste back into the tube," Barrett said.
[Evan] This is an excellent analogy. Once information (toothpaste) is disclosed, it is very difficult if not impossible to re-secure it (put it back in the tube).

Commentary:
The database is backup (without the confidential information it appears) here; milwaukeecounty.headquarters.com/search_mke.aspx

It was a really poor decision to send information without looking at it or considering sensitivity issues. I bet they wish they had a "do over".

ACLU ALERT:
Chris Ahmuty, executive director of the American Civil Liberties Union of Wisconsin, said the county's sloppy handling of confidential information could expose it to a lawsuit for invasion of privacy.
[Evan] We need more lawsuits like we need a hole in the head.

"It seems like careless disrespect for the rights of individuals receiving service from the county," Ahmuty said.

Past Breaches:
Unknown

205 University of Wisconsin employees exposed

Mon, 21 Jan 2008 11:44:21 +0000

Technorati Tag: Security Breach

Date Reported:
1/16/08

Organization:
University of Wisconsin

Contractor/Consultant/Branch:
None

Victims:
Certain faculty and staff members who made purchases from the DoIT computer shop

Number Affected:
205

Types of Data:
University identification numbers*, email addresses and telephone numbers

*205 of the persons affected had university identification number based on their Social Security numbers

Breach Description:
Personal information belonging to University of Wisconsin at Madison faculty and staff members who made purchases from the DoIT "computer shop" was exposed on a publicly accessible web server.

Reference URL:
The Capital Times news story
Milwaukee Journal Sentinel news story
United Press International news story

Report Credit:
David Callender, The Capital Times

Response:
From the online sources cited above:

UW-Madison officials waited more than a month before advising more than 200 faculty and staff members of a potential exposure of their personal information on the Internet last year.

The personal information -- including e-mail addresses, phone numbers and Social Security-based campus ID numbers of faculty and staff who made purchases from the DoIT computer shop -- had been accessible on a campus Internet site for at least a year, said Brian Rust, communications manager for the UW's department of information technology
[Evan] One year before being noticed is too long. Is the DoIT site regularly tested for information security vulnerabilities? It should!

Rust said the Web-based database for DoIT employees was intended to keep track of sales transactions for statistical purposes.
[Evan] I wonder what personally identifiable information serves for statistical purposes.

He said the department only learned that purchasers' campus ID numbers -- some of which still use Social Security numbers -- could be accessed after a UW staffer found information about his own DoIT purchase during a routine online search.

Rust said the employees involved in the exposure were reprimanded, but declined to say what exactly their punishment entailed.

According to a letter to the affected faculty and staff dated Jan. 7, UW senior legal counsel Nancy Lynch wrote that the university became aware of the problem on Nov. 26.

Lynch wrote employees that their e-mail addresses, phone numbers and Social Security numbers were "inadvertently disclosed."

But Rust said the information did not constitute a security breach, since there was no indication that any unauthorized person -- other than the one staff member -- had actually accessed the information.
[Evan] Say huh? I guess it depends on your definition. According to Princeton University's WordNet, a breach is "a failure to perform some promised act or obligation" or "an opening (especially a gap in a dike or fortification)" According to Wisconsin law, a breach is "unauthorized acquisition of personal information", so I suppose if you have no evidence of the "unauthorized acquisition" you could get away this statement. Please don't think about running a web server without logging to show unauthorized access!

Rust said the UW delayed notifying staff members because it had to determine whether any information had been used, develop corrective measures, and ascertain the UW's legal liability. He said the UW complied with a state law requiring anyone affected by such an exposure to be notified within 45 days of the event.
[Evan] But if this was not a security breach, then why follow the Wisconsin "breach" notification law?

Rust acknowledged that although the faculty and staff names may not have been included in the information that was disclosed, in many cases their identity could be gleaned from their e-mail addresses, which usually consist of all or part of an individual's name, and from online directories that allow searches by phone number.
[Evan] Yes, this is a good point. Many UW-Madison email addresses follow a naming convention.

He also admitted that the exposure was due to the design of the database, which had been in use for about a year. He said that programmers knew the information could be accessed from outside, but apparently no one recognized that the data might include Social Security numbers and other personal information.
[Evan] Nuts. When do information security personnel get involved?

Rust said that, in contrast to those disclosures, anyone looking for personal information would have had to find the DoIT Web site in question and then would have had to know that some campus ID numbers still use Social Security numbers
[Evan] It's not hard to find! www.doit.wisc.edu/ techstore.doit.wisc.edu/. Security through obscurity DOES NOT work. Just because the information may not be easy to find does not ensure that it is secure. Didn't the person who found this stumble upon it while doing an internet search?

In an effort to control the release of personal information, the UW stopped using students' and employees' Social Security numbers as part of their campus ID numbers several years ago. But some longtime employees have not changed that ID number to a new, randomly generated number, he said.
[Evan] This is an excellent move by the University of Wisconsin, seriously.

"It's not to say that we're not taking responsibility for this exposure, but this is a reminder that if people don't want something like this to ever happen again, then they should really change that number," he said, adding that DoIT plans to phase out all Social Security-based ID numbers within about a year.
[Evan] This statement is troubling.

Commentary:
I have many issues with this breach and follow-up statements by the university. Too many for a blog posting. What issues do you find?

Past Breaches:
Unknown