Data leak exposes pensioners’ personal information

[Jake Kouns <jkouns () opensecurityfoundation org>]

http://www.milfordbeacon.com/newsnow/x861585372/Data-leak-exposes-pensioners-personal-information

Last week some 22,000 retired Delaware governmental employees opened
innocuous looking letters informing them, in boldface type, that their
Social Security numbers were posted on the Internet for four days,
viewable to anyone in the world including those who would use the
information to commit fraud.

The personal data, which also identified retirees’ genders but did not
contain their names, was inadvertently uploaded to a state agency
website as part of a request for proposals packet prepared by Aon
Consulting, a firm retained to assist the state with selecting a
vision insurance plan for retirees.

Although the bid packet was supposed to contain random client
identifiers, not Social Security numbers, no one at Aon or the
Statewide Benefits Office reviewed the document before posting it to
the www.bids.delaware.gov website on Aug. 16, according to Office of
Management and Budget spokeswoman Catherine Kempista.

On Aug. 20, a benefits office staff member opened the online document
to answer a question from a potential bidder and discovered the
personal information, Kempista said.

At that point, the staffer immediately pulled the bid packet from the
website, she said.

Bert Scoglietti, OMB policy director, said Aon is at fault for
including personal information in the document.

“Aon takes primary responsibility in this,” he said. “This document
went in various formats between Aon and this office in its
development. Previous versions did not contain Social Security
numbers; the final document was sent by Aon.”

Scoglietti said the benefits office didn’t have to review the
finalized document before posting it online.

“Documents, when they’re in final format and ready for publishing,
usually at that point you consider them to be final,” he said. “There
was no reason for us to think [personal information] would be in
there.”

Aon spokesman Joe Micucci would not say if the misstep was
attributable to human error or a computer problem.

“This specific incident is under review to ensure it doesn’t happen
again,” he said. “We employ the latest technology in encryption and we
have stringent internal checks.”

In a letter sent to members of the Delaware General Assembly Sept. 2,
OMB Director Ann Visalli said the state is working with a cyber
security and identity protection firm to assist in protecting those
retirees whose information was exposed.

Spokesmen for OMB and Aon would not say how the data breach will
impact the contractual relationship between the state and the
consultant. Since 2007, when Aon was put on retainer, the state has
paid the company more than $1.1 million for its services, according to
OMB.

Scoglietti did say OMB is talking to the state attorney general’s
office regarding possible legal action.

[..]
_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/

Get business, compliance, IT and security staff on the same page with
CREDANT Technologies: The Shortcut Guide to Understanding Data Protection
from Four Critical Perspectives. The eBook begins with considerations
important to executives and business leaders.
http://www.credant.com/campaigns/ebook-chpt-one-web.php