Cumberland investigates website security breach

[Erica Absetz <eabsetz () opensecurityfoundation org>]

http://www.wcsh6.com/news/article/227927/314/Cumberland-investigates-website-security-breach

CUMBERLAND, Maine (NEWS CENTER) -- The town of Cumberland is trying to
figure out how a 2008 document with the names and social security
numbers of 275 employees was uploaded to the town's website. That
document has since been taken down and removed from the caches of all
search engines.

The good news is, none of the employees who are affected appear to
have had their identities stolen. And the town is giving all of them 3
months of free credit monitoring so any problems will be picked up on
quickly. But this is still pretty scary to those impacted because
there's a lot the town doesn't know right now.

Winthrop EMS Chief John Dovinsky, who used to do paramedic work for
Cumberland said, "It's certainly concerning. If you consider the fact
that the business that we're in, we're very careful to safeguard
people's information. You always expect that your employer is going to
do the same, safeguard your information."

This all came to light because an employee decided to Google himself
last week. Up popped a link to a 2008 quarterly spreadsheet that
Cumberland submits to the Maine Department of Labor for unemployment
purposes. That spreadsheet, which was posted to the town's website,
includes names and social security numbers. The employee called Town
Manager Bill Shane, who says he immediately got his IT team and
security companies working on scrubbing this document from the web.
It's no easy feat, as search engines cache web pages on a regular
basis.

Shane says he's confident that document cannot be accessed online now,
but the town is still trying to figure out how it got there, and how
long it's been there. The town switched web hosts in 2011 and knows
the document has been online at least that long.

In the meantime, 5 managers are now going to be notified every time a
document is uploaded to the town's website, so they can make sure it's
supposed to be there.

Shane said, "It's unsettling. It's very unsettling. It's disappointing
and hopefully we'll find out how so we can prevent it for the future."

Shane is among those whose information was compromised. He says he
expects the IT and security teams working on this will have a report
by mid-February with more information, which he will then share with
the affected employees. The town is offering 3 months of credit checks
because they've learned that most people who steal identities use the
information within a month of the theft.
_______________________________________________
Dataloss-discuss Mailing List (dataloss-discuss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://datalossdb.org/mailing_list

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security equips organizations with security intelligence, risk
management services and on-demand security solutions to establish
customized risk-based programs to address information security and
compliance challenges. 

Tenable Network Security (http://www.tenable.com/)
Tenable Network Security provides a suite of solutions which unify real-time
vulnerability, event and compliance monitoring into a single, role-based, interface
for administrators, auditors and risk managers to evaluate, communicate and
report needed information for effective decision making and systems management.