[BreachExchange] Social Security numbers of 2, 100 Maine foster care participants posted online

Audrey McNeil audrey at riskbasedsecurity.com
Tue Nov 14 19:11:46 EST 2017


http://www.sunjournal.com/social-security-numbers-of-2100-maine-foster-care-
participants-posted-online/

The names, addresses and Social Security numbers of roughly 2,100 Mainers
who receive foster care benefits were accidentally posted to a public
website in September, the Maine Office of Information Technology said
Monday.

The office “has begun notifying approximately 2,100 individuals of a recent
incident that may have resulted in a temporary exposure of their personal
information,” the agency said in a statement.

The statement said letters notifying those affected by the breach were sent
out Thursday, seven weeks after their data was exposed. Spokesman David
Heidrich said the Office of Information Technology didn’t send the letters
until it had concluded an internal investigation and identified a service
provider to assist those affected.

The breach occurred as part of a technology system upgrade on Sept. 21,
when a contractor with the Office of Information Technology posted
information from a Maine Department of Health and Human Services child
welfare services database to “a third-party website outside the State of
Maine system,” it said.

Heidrich said the contractor, Knowledge Services, continues to work for the
state, but that the Knowledge Services worker who inadvertently made the
data public has been terminated. The individual had uploaded a file
containing the data to a free file-comparison website without realizing
that in doing so the information became publicly accessible, Heidrich said.

“The file consisted of information including the names, addresses and
Social Security numbers of persons receiving foster care benefits, as well
as the names of children and legal guardians of individuals participating
in the program,” the release said. The information was publicly available
for about 4½ hours before being taken down, it said.

Heidrich said the leaked data included Social Security numbers of foster
parents but not foster children.

After learning that the file had been made publicly available, the office
immediately contacted the website to have the information removed, it said.
The file in question was removed from the website and any copies of the
data in the company’s possession were deleted.

“Upon investigation, (the Office of Information Technology) received
assurances from the third-party website that the information was removed
from their web server and that no copy of the information remains in their
custody,” the office said in a letter to those affected. “However, (the
office) has also been informed that the posted information was accessed
once during the time it was publicly available.”

Letters were mailed Thursday to those affected, with information on how the
exposure occurred, an offer of one year of free credit and identity
monitoring and additional information on ways recipients can protect
themselves, the office said.

“I’d like to stress that we’ve been informed that this information was
accessed just once in the time that it was available, and we have no reason
to believe that this access was malicious,” Heidrich said.

Local cybersecurity expert Rob Simopoulos said not all data breaches
involve malicious intent.

“Human error can be a major factor in data breaches,” said Simopoulos,
co-founder and partner at Launch Security in Portland.

He noted that even the recent, headline-grabbing breach at credit ratings
firm Equifax, in which some 150 million Americans’ sensitive data was
stolen, ultimately was blamed on a single person within the company who
failed to apply a months-old software patch to eliminate a known security
flaw.

“There’s still a huge human element to cybersecurity and protecting data
appropriately,” Simopoulos said.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20171114/a79b0f62/attachment.html>


More information about the BreachExchange mailing list