Florida State Agency Loses 250,000+ SSNs Online
FOR IMMEDIATE RELEASE:
December, 02 2008
December, 04 2008
TALLAHASSEE, Florida. The Florida Agency for Workforce Innovation (AWI, or Florida Jobs) has lost employment information and more than a quarter million social security numbers by posting them online last month, including the social security numbers of at least fifty children.
Individuals who participated in the Florida Jobs One-Stop Program since 2002 may be at risk, and should go to National ID Watch to find out whether they were affected.
The breach occurred when posted several thousand Excel and text files containing millions of employment records in the course of developing a new website. These records contained:
- 264,524 Unique Names, and
- Between 255,917 and 259,193 Social Security Numbers.
- 51 breached social security numbers belonged to children
Although some of the files were on the server for more than six years, AWI officials insist that the server was only connected
to the internet for about a month. Whether social security numbers were online for a month or six years, they had no passwords, were not encrypted, and were not behind a firewall. Anyone with an internet connection could access the names and social security numbers.
"This is by far the largest breach we have documented at National ID Watch," explained Aaron Titus, Privacy Director for the Liberty Coalition. "Online breaches are among the most severe, because once information is placed online, you throw it to the Internet winds and it's impossible to get back. There's no way to tell if someone in China or New York has a copy, or how long they plan to keep it."
We asked Florida Jobs Inspector General, James Matthews the following questions:
- Why did AWI store sensitive excel files on a server at all?
- Why was this website left open to the public for more than a month, undetected by AWI's IT department?
- Why were the files on the server not behind a firewall, password protected or encrypted?
- How many other servers store sensitive personal information, and how many of those are available to the public right now?
- How many AWI employees have access to clients' social security numbers, and do they all need access?
- How do you plan to train employees to appropriately handle sensitive personal information?
- Do you have a regular schedule of scanning your internal networks and external servers for personal information? If so, why was this breach not discovered?
- Does AWI intend to pay for identity theft protection services for the victims of this breach?
- Will the Agency notify victims by mail?
In response to these questions, Mr. Matthews answered in part, "The Agency takes these matters very seriously, and the security of our customers' confidential information is a number one priority. Although this was an isolated incident which was quickly discovered and corrected, we are examining the details of this issue very closely, and based on our findings, will implement any necessary system modifications and will take appropriate action in accordance with applicable law." The agency has or will take the following steps:
- The Agency for Workforce Innovation quickly removed access to the sensitive information within hours of becoming aware of the breach.
- The Agency quickly coordinated with search engines to remove cached versions of the documents from the internet.
- The Agency will attempt to notify the victims of this breach by mail.
- The Agency has hired a third party to assess network vulnerability.
- The Agency is working with the Florida Department of Law Enforcement and the Office of the Attorney General.
- The Agency pledges to learn from its mistakes.
The Liberty Coalition commends the agency for these responsible steps, but also notes the following:
- AWI has not offered to protect victims with identity theft protection services.
- AWI relied on public search engines and a member of the public 800 miles away to discover the breach.
- The Agency should destroy the information, not just restrict access.
- AWI has not disclosed how many other servers house personal information.
- The Liberty Coalition questions the need for AWI to collect minors' social security numbers.
- AWI has not indicated how many employees have access to clients' social security numbers.
- AWI does not appear to regularly scans its networks for sensitive personal information.
Florida Jobs has taken the files offline, though it's too early to tell whether the Florida Jobs breach has resulted in identity theft. At a minimum, victims of this breach should visit our Resources Page which will direct you to AnnualCreditReport.com, where you may order a free credit report.
[UPDATE Dec 3, 2008] WARNING: The Agency for Workforce Innovation has set up a website where they ask the public to enter the last four digits of their SSN for verification purposes. In an ironic display of security incompetence, the Agency for Workforce Innovation has failed to encrypt or secure this website. The last four of the SSN is used by some banks as a password, and some companies will offer credit based on the last four digits. Entering any part of an SSN over an unsecured website may put individuals at additional risk of fraud. Therefore, until the website is secured (ie, https://), the Liberty Coalition recommends that members of the public NOT enter any part of their SSN in this website.
[UPDATE Dec 4, 2008] Shortly after the Liberty Coalition posted the previous update, the Agency secured their website. Members of the public who wish to utilize AWI's online form may do so without incurring additional risk.
The information on this page was compiled by the Liberty Coalition, which bears sole responsibility for its accuracy.