Vermont agency warns 70,000 of possible data compromise
Social Security numbers and other information may have been exposed
Computerworld - The Vermont Agency of Human Services (AHS) today started sending letters to about 70,000 individuals in the state warning them of a computer compromise that may have exposed their Social Security numbers and other personal data.
The breach was discovered on Dec. 8 and involved a computer running an application that is used for collecting delinquent child support payments from noncustodial parents in the state. The "bank match" application is used to run quarterly matches of names with nine financial institutions in the state to establish whether delinquent parents have assets that can be used to pay off their child support obligations.
Each quarter, the state sends all nine financial institutions a list including names, Social Security numbers and bank or credit union account information for people who are behind on child support payments. If names from the list match the names of account holders, the institutions are required by state law to transmit that information -- using encryption -- back to the AHS.
But the AHS server that was hacked stored the data in unencrypted fashion, said Heidi Tringe, communications director for the state agency. Tringe added that the AHS now plans to stop keeping the information on the server altogether. "The original design called for the computer to store the data," she said. "That will no longer happen."
Not all of the personal data on the compromised computer belonged to people who were behind on their child care payments. Tringe said information about more than 58,000 customers of the New England Federal Credit Union ended up on the server because the Williston, Vt.-based NEFCU mistakenly sent more information than required to the AHS.
According to Tringe, the NEFCU on two occasions -- in July 2004 and again in October 2005 -- sent over encrypted files via a communication method not used by the state. That resulted in a larger-than-required file of information being received by, and stored on, the compromised AHS server, she said.
John Dwyer, president of the NEFCU, said the agency on those two occasions used an "all accounts" method for transferring data instead of the "matched accounts" method used by the Vermont agency. It was only on those two occasions that this sort of data transfer happened, he said.
"We were never informed of the error," Dwyer said. "If we had been, we certainly would've corrected it."
The 58,000 names represent nearly all of the NEFCU's members at that time. "We've grown bigger since then," Dwyer said.
The Windows-based system that was broken into at AHS appears to have been the target of an automated attack and not a directed one, Tringe said. "It looked like the system had been infected by several bots," which were then used to store various files on the computer -- including a copy of the TV show Bones, she said.
- Best Practices for Securing Hadoop Historically, Apache Hadoop has provided limited security capabilities. To protect sensitive data being stored and analyzed in Hadoop, security architects should use a...
- Top Tips for Securing Big Data Environments: Why Big Data Doesn't Have to Mean Big Security Challenges Organizations must come to terms with the security challenges they introduce. As big data environments ingest more data, organizations will face significant risks...
- 5 Ways Dropbox for Business Keeps Your Data Protected Protecting your data isn't a feature on a checklist, something to be tacked on as an afterthought. Download here to find out how...
- The Keys to Securing Data in a Collaborative Workplace Losing data is costly. IT professionals have spent years learning how to protect their organizations from hackers, but how do you ward off...
- What should I look for in a Next Generation Firewall? SANS Provides Guidance With so many vendors claiming to have a Next Generation Firewall (NGFW), it can be difficult to tell what makes each one different....
- Responding to New SSL Cybersecurity Threat The featured Gartner research examines current strategies to address new SSL cybersecurity threats and vulnerabilities. All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!