Florida State Agency Loses 250,000+ SSNs OnlineFOR IMMEDIATE RELEASE: December 2, 2008 UPDATED: December 4, 2008
Media Contact: Aaron Titus
TALLAHASSEE, Florida. The Florida Agency for Workforce Innovation (AWI, or Florida Jobs) has lost employment information and more than a quarter million social security numbers by posting them online last month, including the social security numbers of at least fifty children.
Individuals who participated in the Florida Jobs One-Stop Program since 2002 may be at risk, and should go to National ID Watch to find out whether they were affected. To provide protection for those affected, National ID Watch has partnered with TrustedID to provide a special offer on their comprehensive identity theft protection service, IDFreeze (Code: natidwatch). These individuals will receive 30 days of free pro-active protection and 10% off a yearly plan for individuals and families.
The breach occurred when posted several thousand Excel and text files containing millions of employment records in the course of developing a new website. These records contained:
- 264,524 Unique Names, and
- Between 255,917 and 259,193 Social Security Numbers.
- 51 breached social security numbers belonged to children
"This is by far the largest breach we have documented at National ID Watch," explained Aaron Titus, Privacy Director for the Liberty Coalition. "Online breaches are among the most severe, because once information is placed online, you throw it to the Internet winds and it's impossible to get back. There's no way to tell if someone in China or New York has a copy, or how long they plan to keep it."
"Over 200 million identities were breached in the last year alone, and we do not see any signs of slowing” said, Scott Mitic, CEO TrustedID. "We believe this partnership will better arm consumers with the tools they need to proactively protect themselves and their financial information, and give them peace of mind."
We asked Florida Jobs Inspector General, James Matthews the following questions:
- Why did AWI store sensitive excel files on a server at all?
- Why was this website left open to the public for more than a month, undetected by AWI's IT department?
- Why were the files on the server not behind a firewall, password protected or encrypted?
- How many other servers store sensitive personal information, and how many of those are available to the public right now?
- How many AWI employees have access to clients' social security numbers, and do they all need access?
- How do you plan to train employees to appropriately handle sensitive personal information?
- Do you have a regular schedule of scanning your internal networks and external servers for personal information? If so, why was this breach not discovered?
- Does AWI intend to pay for identity theft protection services for the victims of this breach?
- Will the Agency notify victims by mail?
- The Agency for Workforce Innovation quickly removed access to the sensitive information within hours of becoming aware of the breach.
- The Agency quickly coordinated with search engines to remove cached versions of the documents from the internet.
- The Agency will attempt to notify the victims of this breach by mail.
- The Agency has hired a third party to assess network vulnerability.
- The Agency is working with the Florida Department of Law Enforcement and the Office of the Attorney General.
- The Agency pledges to learn from its mistakes.
- AWI has not offered to protect victims with identity theft protection services.
- AWI relied on public search engines and a member of the public 800 miles away to discover the breach.
- The Agency should destroy the information, not just restrict access.
- AWI has not disclosed how many other servers house personal information.
- The Liberty Coalition questions the need for AWI to collect minors' social security numbers.
- AWI has not indicated how many employees have access to clients' social security numbers.
- AWI does not appear to regularly scans its networks for sensitive personal information.
Florida Jobs has taken the files offline, though it's too early to tell whether the Florida Jobs breach has resulted in identity theft. At a minimum, victims of this breach should visit our Resources Page which will direct you to AnnualCreditReport.com, where you may order a free credit report.
[UPDATE Dec 3, 2008] WARNING: The Agency for Workforce Innovation has set up a website where they ask the public to enter the last four digits of their SSN for verification purposes. In an ironic display of security incompetence, the Agency for Workforce Innovation has failed to encrypt or secure this website. The last four of the SSN is used by some banks as a password, and some companies will offer credit based on the last four digits. Entering any part of an SSN over an unsecured website may put individuals at additional risk of fraud. Therefore, until the website is secured (ie, https://), the Liberty Coalition recommends that members of the public NOT enter any part of their SSN in this website.
[UPDATE Dec 4, 2008] Shortly after the Liberty Coalition posted the previous update, the Agency secured their website. Members of the public who wish to utilize AWI's online form may do so without incuring additional risk.
Individuals affected by this exposure should immediately visit www.nationalidwatch.org and search for their names, to confirm what types of personal information were exposed. NationalIDWatch.org has a list of recommended steps victims should take.
National ID Watch is a search engine for personal information breaches. Sponsored by the Washington, DC non-profit Liberty Coalition, NationalIDWatch.org provides more than a million free personalized Identity Exposure Reports™ as a public service.
Each Identity Exposure Report (IXR) documents what types of personal information were exposed (such as Social Security Numbers, Birth Dates, Addresses, etc.), without revealing them. Each IXR also details the situation surrounding each exposure, and contact information of those responsible for the breach. Armed with this information, victims can further investigate, take action, or correct harm.