Exposure | Office of Inadequate Security

Who – if anyone – is responsible for notifying victims of some breaches?

Commentaries and Analyses, Exposure, Of Note, U.S. No Responses »

May 182013

I’ve blogged a number of times about how although law enforcement may uncover breaches or data theft, the victims often do not get notified in a timely fashion – if at all. Here are just a few scenarios where no one may notify people whose data have been stolen:

Law enforcement discovers a handwritten list of hundreds of individuals’ names, dates of birth, and Social Security numbers
Paper records with sensitive information – sometimes including medical information – are discovered in a dumpster and traced back to a defunct business or practice.
Law enforcement investigates stolen information available for sale on an underground market.

When credit card information is involved, people are more likely to get notified, as law enforcement may send a list of numbers to AmEx, Discover, or other card issuers who then take steps to protect and notify the consumer. But if there are no credit card numbers involved, it seems there are gaps in notification.

The recent controversy over the FERC/EDRM data set involving emails from Enron employees provides a useful example of the hole in our patchwork quilt on notification. The data set, available publicly, contained unredacted PII – including Social Security numbers – on thousands of people.

The data were originally gathered by the Federal Energy Regulatory Commission, and when the issue of redaction came up in court, the court was sensitive to the issue. But did FERC and their contractor do a thorough enough job in removing documents? It seems that they didn’t if there was so much PII left in the data set, even though FERC and their contractor went through a number of reviews of the data set to delete personnel’s personal information that was not appropriate for public release, as detailed in in this document.

The data set has been available for download for years, and many people knew that it contained PII. Is this a situation that the individuals affected should have been informed about? As a privacy advocate, I would say, “definitely.” But who is responsible for notifying them? And even though EDRM and Nuix have released a newly washed data set, the other Enron email data set has not yet been re-released after new washing. More importantly, even when it is released, copies of the older data sets remain on numerous people’s hard drives and are still available for download on the Internet. As a result, those whose PII were exposed are still at risk.

I would bet that FERC takes the position that it gave Enron and others an opportunity to have PII removed and therefore, they are not responsible for any notification. EDRM may take the position that they merely distribute/make available the government’s records, and therefore they are not responsible.

So is no one responsible or liable for exposing thousands of individuals’ SSN to cybercriminals? Is no one responsible for notifying individuals that their SSN and details have been available for download on the Internet for years, and have been downloaded by people all over the world? Is no one responsible for contacting every site that hosts the problematic data sets to ask them to remove them?

And if you believe that either FERC or EDRM are responsible and should be held accountable in terms of notification to individuals, what existing law(s) are you basing that on?

In the meantime, the buck seems to stop… nowhere.

WINZ: privacy breach ‘major stuff up’

Exposure, Government Sector, Non-U.S. No Responses »

May 182013

Michael Morrah reports on yet another government data breach in New Zealand:

There’s been another government breach of privacy. A Work and Income employee has emailed the private details of 34 beneficiaries to another claimant by mistake.

Even WINZ bosses are calling this breach a “major stuff up”.

It’s the latest in a series of failures, including last year’s security issue with the agency’s public kiosk computers.

Titanic Belfast web site data leak

Business Sector, Exposure, Non-U.S. No Responses »

May 182013

If you tried to obtain tickets to the Game of Thrones exhibition through the Titanic Belfast web site, some of your data personal may have leaked. See this BBC report.

Senators Tester, Baucus: EPA’s release of personal information “unacceptable”

Exposure, Government Sector No Responses »

May 162013

Montana Senators Jon Tester and Max Baucus are demanding that the EPA take immediate action to better protect the personal information of Montana ranchers after the agency accidentally released livestock producers’ names, addresses, and telephone numbers – not once, but twice.

In response to a public information request, the EPA mistakenly distributed the personal information of livestock producers in 30 states. The agency compounded its error weeks later when it again released similar information for ranchers in Montana and Nebraska.

“It is simply unacceptable that an agency entrusted with sensitive personal information should make such a careless mistake,” Tester and Baucus told EPA Acting Administrator Bob Perciasepe. “I urge your agency to thoroughly investigate how this mistake occurred, and report back on your plans to ensure it will not happen in the future.”

In addition to releasing producers’ names and contact information, the EPA documents provided the locations of livestock facilities. The EPA has requested the information’s return, but Tester says he has heard from constituents concerned about the safety of their families and businesses.

Tester and Baucus said that the agency needs accountable leadership and that Congress should quickly confirm its next permanent administrator. Last week, Republicans boycotted a key vote on EPA nominee Gina McCarthy.
The agency has now been without a Senate-confirmed administrator for three months.

Baucus, who is a senior member of the Committee tasked with approving the nomination, met personally with McCarthy and secured her commitment to hold the agency accountable and ensure personal information is protected.

“We need to make sure folks in government have all the tools they need to be successful,” Tester and Baucus said. “Congress needs to stop stalling and confirm a leader at the EPA who will make sure mistakes like this don’t happen again.”

Tester, a staunch defender of Montanans’ civil liberties, recently took the IRS to task for violating Americans’ constitutional rights by gathering personal emails without a warrant.

Tester and Baucus’ letter to EPA Acting Administrator Bob Perciasepe is available below.

May 13, 2013

Mr. Bob Perciasepe
Acting Administrator
Environmental Protection Agency
1200 Pennsylvania Avenue, NW, Room 3000
Washington, DC 20460

Dear Acting Administrator Perciasepe:

We are writing today to express our deep concerns over the release of some of our constituents’ personally identifiable information to non-government entities. For a second time in two months, the Environmental Protection Agency (EPA) released personal information of Montana’s livestock producers.

In March, EPA responded to a Freedom of Information Act Request from several groups with information on confined animal feeding operations. However, rather than redacting personally identifiable information, EPA provided names, home addresses, telephone numbers and even geographic coordinates for thousands of livestock facilities in 30 states, including states that do not require the publication of such information.

EPA subsequently found that this personal information “implicates a substantial privacy interest that outweighs any public interest in disclosure,” and requested that the information be returned, and any copies destroyed. The requestors claim to have complied with this request, and we have no reason to believe otherwise. While information determined to be private should never have been released in the first place, only a few weeks later, EPA again released a dataset containing similar information on livestock producers in Montana and Nebraska.

We have heard from our constituents that the release of their names and addresses has caused them justifiable concern for the security of their homes and businesses. While we appreciate that the EPA has admitted its error, it is simply unacceptable that an agency entrusted with sensitive personal information should make such a careless mistake. We urge your agency to thoroughly investigate how this mistake occurred, and report back on your plans to ensure it will not happen in the future. Thank you for your attention to this important issue.

Sincerely,
(s)
Jon Tester and Max Baucus

SOURCE: Senator Jon Tester

Bloomberg ‘Leaked Over 10,000 Private Messages’

Breach Incidents, Business Sector, Exposure, U.S. No Responses »

May 152013

As if Bloomberg wasn’t getting enough bad press already, they reportedly also had a data breach. Tom Brewster of TechWeekEurope reports:

Bloomberg is in hot water over privacy again, after it was claimed the company had left over 10,000 private messages sent by its customers online.

The revelations come at a bad time for Bloomberg, which is currently being quizzed over reporters’ use of financial terminals and access to client data.

The Financial Times learned of two lists of confidential messages between traders using Bloomberg’s financial terminals. The messages, which sought information on market prices, had been online for several years and were discovered with just a Google search.

A former employee uploaded the data from the messaging service to work on a data mining project for a client, reportedly to upload them to a secure site at a later time.

SC:Personal data from 12,000 York Tech applicants may have been exposed

Education Sector, Exposure, U.S. No Responses »

May 072013

Don Worthington reports:

The names, Social Security numbers and driver’s license numbers of more than 12,000 online student applicants at York Technical College might have been exposed, school officials said Tuesday.

And it was one of the applicants who discovered the problem and brought it to the college’s attention.

[...]

York Tech President Greg Rutherford said the applicant who discovered the problem used a computer tool that would allow him to make changes to the online system and “potentially view data.”

The applicant contacted the college April 16 about the vulnerability.

Rutherford declined to release the person’s name, saying he was not a college employee or a current student. He said the person, who he identified as someone experienced in information technology, wants to come to York Tech to add to his computer certification, possibly this summer or fall.