Exposure Statistics*

Florida Agency for Workforce Innovation
107 East Madison Street
Caldwell Building Suite G-229
Tallahassee, FL 32399
(850) 245-7105
http://www.floridajobs.org
Discovered: October 14, 2008
Records Exposed: 721,166
Unique Names: 249,346
Sensitivity: Severe
Duration: More Than One Month
Distribution: Exposed Online
Files Exposed: 1,857

Sensitive Information

SSNs: 244,015
Tax Information: 17,260

Other Types of Exposed Information

AG (16-Digit Serial Number)
AG (16-Digit Serial Number) or PIN
Amount
Case Manager Name
Child(ren) Full Name
Child(ren) Social Security Number
Childcare Provider
Close Reason
Closed Date
closreas
clsclass
County or Notes
Current Region
Current Unit
Customer User ID
Cycle Date
Dates of Service
Detailed and Extensive Employment Information
Earnings (3-Digit Code)
Either Phone Number or Employer Name
Employer Name
Employer Phone
Extensive and Detailed Employment Information
FEIN
FSR County
FSR Region
FSR Unit
Hire Date
Issue Date
Job Order
Local Office Number
Misc. Codes
Notes
Notes or Region
Order Date
Order Number
OSST Function
OSST Site, Notes, PIN, or Region
Parent First Name
Parent Name
Parent-Child Relationships and Personal Information
PIN
PIN (10-Digit Number), AG (16-Digit Serial Number) or Cycle Date
Reason Description, Notes
Reason Notes
Referral Date
Region
Region Number, Notes or Other information
Service Type
Site or Notes
State State ID
Station Desk
StDk
Sub Function
Tab Name
Type (ie, Returned, Closed, FirstTime) or Earnings
Type of Service
Unit
User ID

Florida State Agency Loses 250,000+ SSNs Online

FOR IMMEDIATE RELEASE: December 2, 2008 UPDATED: December 4, 2008

Media Contact: Aaron Titus
(202) 669-2969

TALLAHASSEE, Florida. The Florida Agency for Workforce Innovation (AWI, or Florida Jobs) has lost employment information and more than a quarter million social security numbers by posting them online last month, including the social security numbers of at least fifty children.

Individuals who participated in the Florida Jobs One-Stop Program since 2002 may be at risk, and should go to National ID Watch to find out whether they were affected. To provide protection for those affected, National ID Watch has partnered with TrustedID to provide a special offer on their comprehensive identity theft protection service, IDFreeze (Code: natidwatch). These individuals will receive 30 days of free pro-active protection and 10% off a yearly plan for individuals and families.

The breach occurred when posted several thousand Excel and text files containing millions of employment records in the course of developing a new website. These records contained:

  • 264,524 Unique Names, and
  • Between 255,917 and 259,193 Social Security Numbers.
  • 51 breached social security numbers belonged to children
Although some of the files were on the server for more than six years, AWI officials insist that the server was only connected to the internet for about a month. Whether social security numbers were online for a month or six years, they had no passwords, were not encrypted, and were not behind a firewall. Anyone with an internet connection could access the names and social security numbers.

"This is by far the largest breach we have documented at National ID Watch," explained Aaron Titus, Privacy Director for the Liberty Coalition. "Online breaches are among the most severe, because once information is placed online, you throw it to the Internet winds and it's impossible to get back. There's no way to tell if someone in China or New York has a copy, or how long they plan to keep it."

"Over 200 million identities were breached in the last year alone, and we do not see any signs of slowing” said, Scott Mitic, CEO TrustedID. "We believe this partnership will better arm consumers with the tools they need to proactively protect themselves and their financial information, and give them peace of mind."

We asked Florida Jobs Inspector General, James Matthews the following questions:

  1. Why did AWI store sensitive excel files on a server at all?
  2. Why was this website left open to the public for more than a month, undetected by AWI's IT department?
  3. Why were the files on the server not behind a firewall, password protected or encrypted?
  4. How many other servers store sensitive personal information, and how many of those are available to the public right now?
  5. How many AWI employees have access to clients' social security numbers, and do they all need access?
  6. How do you plan to train employees to appropriately handle sensitive personal information?
  7. Do you have a regular schedule of scanning your internal networks and external servers for personal information? If so, why was this breach not discovered?
  8. Does AWI intend to pay for identity theft protection services for the victims of this breach?
  9. Will the Agency notify victims by mail?
In response to these questions, Mr. Matthews answered in part, "The Agency takes these matters very seriously, and the security of our customers' confidential information is a number one priority. Although this was an isolated incident which was quickly discovered and corrected, we are examining the details of this issue very closely, and based on our findings, will implement any necessary system modifications and will take appropriate action in accordance with applicable law." The agency has or will take the following steps:
  • The Agency for Workforce Innovation quickly removed access to the sensitive information within hours of becoming aware of the breach.
  • The Agency quickly coordinated with search engines to remove cached versions of the documents from the internet.
  • The Agency will attempt to notify the victims of this breach by mail.
  • The Agency has hired a third party to assess network vulnerability.
  • The Agency is working with the Florida Department of Law Enforcement and the Office of the Attorney General.
  • The Agency pledges to learn from its mistakes.
The Liberty Coalition commends the agency for these responsible steps, but also notes the following:
  • AWI has not offered to protect victims with identity theft protection services.
  • AWI relied on public search engines and a member of the public 800 miles away to discover the breach.
  • The Agency should destroy the information, not just restrict access.
  • AWI has not disclosed how many other servers house personal information.
  • The Liberty Coalition questions the need for AWI to collect minors' social security numbers.
  • AWI has not indicated how many employees have access to clients' social security numbers.
  • AWI does not appear to regularly scans its networks for sensitive personal information.

Florida Jobs has taken the files offline, though it's too early to tell whether the Florida Jobs breach has resulted in identity theft. At a minimum, victims of this breach should visit our Resources Page which will direct you to AnnualCreditReport.com, where you may order a free credit report.

[UPDATE Dec 3, 2008] WARNING: The Agency for Workforce Innovation has set up a website where they ask the public to enter the last four digits of their SSN for verification purposes. In an ironic display of security incompetence, the Agency for Workforce Innovation has failed to encrypt or secure this website. The last four of the SSN is used by some banks as a password, and some companies will offer credit based on the last four digits. Entering any part of an SSN over an unsecured website may put individuals at additional risk of fraud. Therefore, until the website is secured (ie, https://), the Liberty Coalition recommends that members of the public NOT enter any part of their SSN in this website.

[UPDATE Dec 4, 2008] Shortly after the Liberty Coalition posted the previous update, the Agency secured their website. Members of the public who wish to utilize AWI's online form may do so without incuring additional risk.

Individuals affected by this exposure should immediately visit www.nationalidwatch.org and search for their names, to confirm what types of personal information were exposed. NationalIDWatch.org has a list of recommended steps victims should take.

About NationalIDWatch.org

National ID Watch is a search engine for personal information breaches. Sponsored by the Washington, DC non-profit Liberty Coalition, NationalIDWatch.org provides more than a million free personalized Identity Exposure Reports™ as a public service.
Each Identity Exposure Report (IXR) documents what types of personal information were exposed (such as Social Security Numbers, Birth Dates, Addresses, etc.), without revealing them. Each IXR also details the situation surrounding each exposure, and contact information of those responsible for the breach. Armed with this information, victims can further investigate, take action, or correct harm.

Do Another Search

First:
Middle:
Last:
Or Sign Up for Breach Alerts

All Press Releases