Maryland State Govt Employee Takes, Posts 2,890 SSNs OnlineFOR IMMEDIATE RELEASE: July 19, 2010 UPDATED: July 24, 2010
Media Contact: Aaron Titus
BALTIMORE, Maryland. An employee of the Maryland Department of Human Resources (DHR) posted 2,890 names, social security numbers, home addresses, phone numbers and other personal information of Baltimore County residents on his company's website for more than two months. Between April 27, 2010 and July 14, 2010 the sensitive personal information was potentially available to anyone in the world with an internet connection. The file was also accessible through the Google search engine.
The Liberty Coalition first notified DHR of the breach on July 9, 2010. By July 14, 2010 the file had been deleted, and Google cleared its search engine caches by July 17, 2010. Once notified, DHR moved quickly to have the file removed from the third-party website and notify victims. In Maryland, State agencies are not legally required to notify victims when a breach occurs. Notwithstanding, DHR mailed 2,899 letters to victims and their personal representatives notifying them of the breach.
According to Fox 45, at least one breach victim has reported unauthorized financial activity, though it is unclear whether the unauthorized activity is related to this breach. The agency has offered to pay for credit monitoring services for victims of the breach if they call 1-800-332-6347 x 3 then 0 before October 29, 2010.
The DHR employee responsible for the breach has been placed on administrative leave, and the matter has been referred to the Maryland State Attorney General's office for investigation.
DHR neither authorized the release and posting of this information nor did we know this information had been posted until we were notified by the Liberty Coalition...Within four hours [of notification], DHR had confirmed that fact and had identified the owner of the website as a DHR employee – who was not authorized to post such information on his external website. DHR then immediately launched an investigation that involved our personnel department, our IT department, the Attorney General's office and our internal Inspector General....
The employee has been placed on administrative leave pending the outcome of the investigation. DHR may pursue legal action depending on the results of the investigation.
...On July 20, only after ensuring that the information was no longer available on the Internet, DHR sent a letter to each of the affected individuals to advise them of what happened and what steps they can take to protect their identities. ...DHR will pay for credit monitoring for those who are interested in that service and had their information exposed.
For more information or to take advantage of the agency's offer to monitor credit, victims should call 1-800-332-6347 x 3 then 0 before October 29, 2010.
UPDATE July 24, 2010: We have received several calls from victims seeking additional information. The Baltimore Sun reports that the employee who caused the breach has been fired. DHR has not released, and the Liberty Coalition cannot confirm the employee's name; however, the website on which the breach occured was unified-dsa.com. As of July 24, 2010 the WHOIS Database lists the registrant as "Bouknight, Charles," care of Network Solutions, PO Box 459, Drums, PA. US 18222, .
According to Isabelle Fitzgerald, DHR IT Director, the breached file was an internal monthly report. Social Security Numbers were probably not required to be in that report. One victim who contacted the Liberty Coalition indicated that some of the individuals on the list were deceased, indicating that the report may be months or years old. This report is consistent with dates in the excel file, which indicate that the report may have been created as early as March, 2008. Relevant dates are below:
|03/02/2008||"Run Date"||Column Name in File|
|3/11/2008 12:50 PM||File Created Date||Excel File Properties|
|3/17/2008 2:39 PM||Last Modified Date||Excel File Properties|
|04/2008||"Redet Dt"||Column Name in File|
|06/2008||"Redet Due prior Date"||Column Name in File|
|4/27/2010 5:22 PM||Server Modified Date||unified-dsa.com server|
DHR has not indicated when the file left the control of the agency.
Individuals affected by this exposure should immediately visit www.nationalidwatch.org and search for their names, to confirm what types of personal information were exposed. NationalIDWatch.org has a list of recommended steps victims should take.
National ID Watch is a search engine for personal information breaches. Sponsored by the Washington, DC non-profit Liberty Coalition, NationalIDWatch.org provides more than a million free personalized Identity Exposure Reports™ as a public service.
Each Identity Exposure Report (IXR) documents what types of personal information were exposed (such as Social Security Numbers, Birth Dates, Addresses, etc.), without revealing them. Each IXR also details the situation surrounding each exposure, and contact information of those responsible for the breach. Armed with this information, victims can further investigate, take action, or correct harm.