Tooele officials: human error caused isolated data breach

[Erica Absetz <erica () riskbasedsecurity com>]

http://www.sltrib.com/sltrib/news/56074611-78/county-brozovich-tooele-data.html.csp

The Tooele County commissioners sent letters to about 200 current and
former employees Thursday, explaining that their personal data had
been briefly breached in an isolated incident caused by human error.

"Tooele County regrets to inform you that your name and Social
Security number were inadvertently disclosed to a former County
employee," the letter said, providing an explanation about how the
mishap occurred.

Evidently two insurance documents from 1996 and 1997 that contained
the names and Social Security numbers had accidentally been placed in
Shane Brozovich’s personnel file.

"The information had been misfiled a long time ago, and then got
scanned and given to Brozovich," said Tooele County Public Information
Officer Wade Mathews.

Following his March 12 termination from 17 years with the county as a
heavy equipment operator, Brozovich requested a copy of his file,
receiving its contents in digital format on a compact disc.

When Brozovich discovered the sensitive data, he worried that the
error would get swept under the rug if he simply returned the CD. He
contacted the state Attorney General’s office Wednesday, hoping to
place it in their hands, but he was referred back to the county.

By 5 p.m. Wednesday, Brozovich delivered the disc to theTooele County
Attorney’s office.

"We contacted the AG’s office, and they then contacted Mr. Brozovich
and essentially told him what he could be facing," Mathews said.

Brozovich was advised that he could be charged with a felony —
punishable by up to five years in prison — if he kept the identifying
documents he knew he wasn’t meant to have.

"We appreciate his cooperation and that of the AG’s office," Mathews
said, adding that no charges would be brought against Brozovich.

The letter emphasized that the data had not been intentionally
accessed for unlawful use and had been returned.

"Although this does not excuse the mistake, it certainly presents a
more favorable situation than the typical data breach scenario," it
said.

Tooele County currently employs about 320 people, Mathews said, who
will receive emails explaining the situation and providing tips on how
to safeguard their personal information.

A human resource employee could receive a reprimand, Mathews said, but
that has yet to be determined.
_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://datalossdb.org/mailing_list

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security equips organizations with security intelligence, risk
management services and on-demand security solutions to establish
customized risk-based programs to address information security and
compliance challenges.