LIMA — Last month, Allen County officials learned that more than 1,100 county employees had personal information, including Social Security numbers, accidentally available on the Web.
While the county took the information down within minutes of learning about it, the deed was done, so to speak. While there has been no evidence that any of the data contained in the breach were misused, the county did purchase LifeLock memberships for all employees and the few retired employees affected by the data breach. LifeLock is a company specializing in preventing identity theft.
By all accounts, the data disclosure was simply an accident.
“It wasn’t something that someone maliciously did,” Allen County Commissioner Cory Noonan said.
Unfortunately, this is a common story that happens on a fairly regular basis across the nation.
Often, the situation involves a missing or stolen laptop containing personal information.
For example, last year a NASA employee had a laptop stolen from a parked car. The laptop contained unencrypted files of more than 10,000 NASA employees, including Social Security numbers and background check details. In North Carolina last year, five laptops disappeared from a county board of elections with information on more than 71,000 voters. Also last year, about 800,000 people had their personal information jeopardized from the California Department of Child Support Services when several computer systems were lost in shipping.
Another way government data is breached is through intentional hacking.
A hacker group calling itself SpexSec hijacked 110,000 records from a school system in Tennessee in June. Hackers also gained access to a Navy system last year compromising the personal information of more than 200,000 Navy personnel. In South Carolina last year, a former employee stole the personal data of more than 228,435 Medicaid beneficiaries. In Utah, Eastern European hackers stole 780,000 Medicaid records and information for the state’s Children’s Health Insurance Program.
Also last year, the largest cyberattack against a state government put 75 percent of South Carolina’s population at risk for identity fraud when a hacker stole a database from the state’s Department of Revenue.
In a case similar to what happened in Allen County, though on a much larger scale, the Wisconsin Department of Revenue accidentally posted Social Security numbers of more than 110,000 people and businesses on line. This was the fourth such incident in Wisconsin since 2009.
Finally, in one of the more bizarre security breaches of last year, paradegoers at the Macy’s Thanksgiving Day Parade had shredded strips of paper raining down on them that were readable and contained details about serving police officers, including their names, Social Security numbers, and bank details, as well as references to crimes in the area.
The fact is that in today’s data-driven society, even governments are not immune from data breaches.
Area government officials are reluctant to talk about such things. Or, as one county official put it while refusing to go on the record, part of their security measures include remaining silent about their security measures. Nor do they want to talk publicly about computer security lest hackers take it as a challenge to target them.
Even in Allen County, officials were vague about what happened and how long the data was publicly available.
“There’s nothing to hide,” said Jay Begg, Allen County commissioner. “It’s just that we want to be sure employees’ identities and information are protected before we tell everybody what happened.”
There are steps government agencies as well as businesses can take to prevent such data breaches.
Todd Thiemann, senior director of product marketing at Vormetric, a data security company, said agencies don’t need to secure everything.
“One of the first things that government agencies need to do … is understand where that sensitive information might be,” he said. “Then you put security around as close to that data as possible.”
He said the best thing agencies can do to supplement the firewalls and other perimeter security they have in place is to encrypt sensitive data and closely monitor the activity surrounding that data. Additionally, the security should be at the file level.
Such security saves money in the long run.
“In Allen County, the total cost of remediating the breach was $25,o00,” he said. “There are solutions out there that could cost less than that.”
Also, adopting the approach of giving employees just enough access to do their jobs and no more would reduce the chance of inadvertent disclosures, such as what happened in Allen County.
Identity theft professionals caution everyone to remain vigilant in monitoring their personal data. People should visit http://annualcreditreport.com to get free copies of their credit reports from the three major credit bureaus. Those who believe their information has been breached can place a fraud alert on their credit reports.