Establishing Digital Trust: Don't Sacrifice Security for Convenience
KATU reports that the Oregon Employment Department recently began notifying 851,322 people that their personal information may have been exposed when the department's WorkSource Oregon Management Information System (WOMIS) was hacked.
According to the Statesman Journal, the information potentially exposed includes Social Security numbers, birthdates, addresses, and other data usually found on a job application.
The department only learned of the breach when it was notified by an anonymous tipster on October 6, 2014.
"Work began immediately [on October 6] -- in coordination with the state’s Chief Information Office -- to validate the information in the anonymous tip," the department said in a statement. "Once validated, WOMIS was shut down while steps were taken to correct the security vulnerability to eliminate the possibility of retrieving Social Security information. The personal information was then secured to prevent any further threats."https://o1.qnsr.com/log/p.gif?;n=203;c=204650394;s=9477;x=7936;f=201801171506010;u=j;z=TIMESTAMP;a=20392931;e=i
The breach was then publicly disclosed four days later, on October 10 -- but letters weren't mailed to those affected until two weeks after the breach was first discovered.
Still, department legislative and public affairs manager Andrea Fogue told KATU the notification was handled as quickly as possible. "We didn't know until we reviewed 1.9 million records that there were hundreds of thousands of individuals affected," she said.
Fogue said the breach goes back to at least 2008, when the WOMIS system was first implemented.
Oregon resident Patricia Miller told KATU she received the notification letter from the employment department on October 20, 2014. "This is too little too late," she said.
Those impacted by data breaches are often frustrated by the delay between the discovery of a breach and the delivery of notification letters.
A class action lawsuit was filed in April 2014 claiming that Arizona's Maricopa Community College District (MCCCD) took too long to notify 2.5 million people that their personal information had been stolen. In that case, MCCCD took more than six months to notify those affected that their personal information had been exposed.
And 171 students were notified in August 2014 that their personal information may have been exposed when an unencrypted laptop was stolen from New Mexico State University (NMSU) almost two months earlier.
"Why in the hell did it take this long to let us know?" Ronald Thomas, whose wife was one of the affected students, asked the Albuquerque Journal at the time. "And what have they done about it?"
NMSU chief information officer Norma Grijalva said the notification letters were sent out as soon as those affected were identified. "By law we have 60 days to notify victims," she said. "We were within that timeframe."
Alia Luria, an associate attorney at law firm Akerman LLP, recently told eSecurity Planet that it's crucial to ensure that breach notifications are handled correctly. "The notification must be in compliance with the state of residence of the affected person," Luria said. "[My] primary advice is to make sure you hit deadlines for notification and involve legal counsel and an auditor if needed."