Computerworld - Memo to: California lawmakers, judges, bureaucrats and other state workers. Re: That nasty computer break-in incident. You know, the one in which payroll information for all 265,000 full- and part-time state employees was compromised by a hacker. The one IT people didn't spot for more than a month, then kept state employees in the dark about for almost three weeks after it was discovered.
Of course you're steamed at the IT people. Who wouldn't be? IT shops have fumbled security breaches before, but never with a quarter-million victims. And since you powerful politicians are among those whose names, Social Security numbers and payroll info were hacked, you'll hold hearings so you can ask: How did this happen? What went wrong? What should be done? And who can we blame?
But you don't need hearings to find out those things. The answers you want are uncomfortably easy to find - and unpleasantly simple.
How did this happen? The centralized state data center had security holes. Security procedures weren't being followed. Patches weren't being applied. A hacker - probably a "script kiddie" - discovered the holes as part of an automated scan that also turned up 2,569 other vulnerable systems. (We know the number because the script sent a confirmation to a Lycos e-mail account for each system that was successfully compromised.)
It took more than a month - from April 5 to May 7 - for IT people to discover the hack. When it was discovered, the whole mess was turned over to the Sacramento County sheriff's cybercrime task force, which recommended not informing anyone about the breach because that might hamper a criminal investigation. That's why 265,000 state employees stayed in the dark - and why they're so mad now.
Once the sheriff found and searched that Lycos mailbox, he finally OK'd lifting the lid. Then all 265,000 state employees were given the phone numbers for credit- reporting agencies Equifax, Experian and Trans Union and told that they were on their own when it came to protecting their identities and credit ratings. As a result, the credit agencies' phones were swamped, aggravating the agencies, their regular customers and California employees who still couldn't get through.
What went wrong? What didn't? Security procedures weren't followed, which is how the hack happened. There was no advance plan for dealing with a security breach, which is how we got the ensuing mess.
No one thought through the implications of simply handing over the entire incident to the sheriff's task force. No one went
Free Insider GuideCopyright © 1994 - 2012 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.
