BreachExchange mailing list archives
Data leak exposes pensioners’ personal information
From: Jake Kouns <jkouns () opensecurityfoundation org>
Date: Thu, 9 Sep 2010 01:34:50 -0400
http://www.milfordbeacon.com/newsnow/x861585372/Data-leak-exposes-pensioners-personal-information Last week some 22,000 retired Delaware governmental employees opened innocuous looking letters informing them, in boldface type, that their Social Security numbers were posted on the Internet for four days, viewable to anyone in the world including those who would use the information to commit fraud. The personal data, which also identified retirees’ genders but did not contain their names, was inadvertently uploaded to a state agency website as part of a request for proposals packet prepared by Aon Consulting, a firm retained to assist the state with selecting a vision insurance plan for retirees. Although the bid packet was supposed to contain random client identifiers, not Social Security numbers, no one at Aon or the Statewide Benefits Office reviewed the document before posting it to the www.bids.delaware.gov website on Aug. 16, according to Office of Management and Budget spokeswoman Catherine Kempista. On Aug. 20, a benefits office staff member opened the online document to answer a question from a potential bidder and discovered the personal information, Kempista said. At that point, the staffer immediately pulled the bid packet from the website, she said. Bert Scoglietti, OMB policy director, said Aon is at fault for including personal information in the document. “Aon takes primary responsibility in this,” he said. “This document went in various formats between Aon and this office in its development. Previous versions did not contain Social Security numbers; the final document was sent by Aon.” Scoglietti said the benefits office didn’t have to review the finalized document before posting it online. “Documents, when they’re in final format and ready for publishing, usually at that point you consider them to be final,” he said. “There was no reason for us to think [personal information] would be in there.” Aon spokesman Joe Micucci would not say if the misstep was attributable to human error or a computer problem. “This specific incident is under review to ensure it doesn’t happen again,” he said. “We employ the latest technology in encryption and we have stringent internal checks.” In a letter sent to members of the Delaware General Assembly Sept. 2, OMB Director Ann Visalli said the state is working with a cyber security and identity protection firm to assist in protecting those retirees whose information was exposed. Spokesmen for OMB and Aon would not say how the data breach will impact the contractual relationship between the state and the consultant. Since 2007, when Aon was put on retainer, the state has paid the company more than $1.1 million for its services, according to OMB. Scoglietti did say OMB is talking to the state attorney general’s office regarding possible legal action. [..] _______________________________________________ Dataloss Mailing List (dataloss () datalossdb org) Archived at http://seclists.org/dataloss/ Get business, compliance, IT and security staff on the same page with CREDANT Technologies: The Shortcut Guide to Understanding Data Protection from Four Critical Perspectives. The eBook begins with considerations important to executives and business leaders. http://www.credant.com/campaigns/ebook-chpt-one-web.php
Current thread:
- Data leak exposes pensioners’ personal information Jake Kouns (Sep 10)