Global Security, Privacy, & Risk Management

Another Total Security Failure!?- 750K Socials Stolen in Utah April 10, 2012

(RANT ALERT) While everyone is fighting over who gets to eviscerate Global Payments in the press today, a major breach of sensitive data goes unnoticed.  For the record…Credit Card theft is NOT identity theft.  Steal my credit card every day of the week…I have zero liability. Do NOT steal my social or passport or drivers license. We seem to be focused on the wrong data at times. I live in Utah and am pretty sure my wife, and my own 2 year old son’s Social was included in this breach.

Today on Foxnews.com a story was posted about how hackers stole “hundreds of thousands of social security numbers” from the Utah Health Department.  Well…this is not entirely accurate.  The data thieves did steal the Socials but they also stole medical information and other personal information such as names, addresses etc.  The total number of records is nearing 900,000.  Here is my beef…according to  the story:

“Although the state has multiple layers of security on every server, a technician installed a password that wasn’t as secure as needed.”

There are so many failures identified in this single sentence, I can hardly count them all. First, there is obviously no type of auditing or change control implemented.  How in the heck (to be polite) did a “technician” install a password that was insecure without being noticed? I am guessing the password was ‘installed’ on a live server? Second, I would like to know what “multiple layers of controls” were applied.  How in the “heck” was a server, which should reside on an internal segment accessed by a person in Eastern Europe?  Third, it looks like while banks, processors, gateways and the rest of the world is moving toward advanced, multi-factor authentication our own Health department is using simple passwords?!!  This statement is a complete cop out and demonstrates the incompetence of the Health Department in protecting actual sensitive data.  We require credit card processors to implement strict controls to protect data that CANNOT be used to perpetrate identity theft yet our own government can get by with simple passwords?

The best part is how they suggest that victims handle the situation: “Monitoring financial accounts and credit reports is an important first step, but identity theft victims should also alert the three credit bureaus about potential fraud, said Kirk Torgensen, a chief deputy with the Utah attorney general’s office who specializes in identity theft.”