DNR manager behind data trolling

[Jake Kouns <jkouns () opensecurityfoundation org>]

http://www.startribune.com/local/188451931.html?refer=y

John Hunt oversaw training in handling private data. Agency promised a
thorough review of employee access.

A state agency revealed Friday that an employee who improperly
accessed thousands of driver's license records, and ignited calls for
stiffer laws, was a manager who oversaw training on how to handle
private information.

The Department of Natural Resources said John Hunt, administrative
manager of the agency's enforcement division, viewed driver's license
data on 5,000 people while off-duty and without a work-related
purpose. Altogether, Hunt made about 19,000 queries of the Driver and
Vehicle Services (DVS) database over nearly five years -- 11,800 of
them while off-duty.

The agency, which had previously declined to release Hunt's name, said
Friday that it was performing a "top-to-bottom" review of DNR employee
access to DVS data and "redoubling" employee training.

"This employee not only violated the law, but betrayed the trust of
the agency, his supervisors, and fellow employees," DNR Commissioner
Tom Landwehr said in a statement.

There is no evidence Hunt sold or disclosed the information, but the
massive breach spurred lawmakers this week to call for tougher
penalties and more disclosure when public employees misuse government
data. Two lawsuits, both seeking class-action status, have been filed
in federal court by several of the 5,000 people who received data
breach letters.

The DVS database, which contains photographs, addresses and driving
records on Minnesotans with a license, is protected by state and
federal law against illegitimate use. The agency fired Hunt on Jan. 11
and the Duluth city attorney is reviewing the case for possible
criminal charges.

Ninety percent of Hunt's queries were for females, the agency said.
The lookups included local celebrities, politicians, judges, athletes,
television news people, state employees and "victims of various
tragedies," according to Hunt's disciplinary letter and an
investigative report. Several Star Tribune reporters were among the
5,000 lookups.

Data designee

Ironically, the DNR had designated Hunt to be among those in charge of
open records requests and data training. Third-party investigators who
examined the misuse noted that Hunt's "responsibilities require him to
ensure new DNR enforcement officers complete the DVS data privacy
training provided by DNR."

The termination letter said that on one occasion, Hunt made several
unauthorized queries "immediately upon leaving" a seminar on law
enforcement data practices.

Hunt was an enforcement officer, but his role at the agency was
largely administrative. His primary duties, according to the
investigatory report, were administrating the agency's fleet program
and radio inventory, as well as some human resources functions and
equipment purchasing. He handled public requests for records as the
data compliance officer.

An 11-year employee of the agency, Hunt would have needed to use DVS
records to largely perform background checks on new officer
applicants. He would also look up records on people who sent the
commissioner a threatening letter, the report said.

An agency spokesman, Chris Niskanen, said DNR officials do not know
why Hunt made the lookups. Hunt, 48, did not return a phone message
seeking comment.

"This was a single employee," Niskanen said. "We've seen no other
trends of employees doing similar things."

Since the breach was discovered, lawmakers have proposed legislation
that would impose stiffer penalties on public employees who
inappropriately access government data. It would also require agencies
to post reports online detailing any investigations that discover data
misuse.

"We want to be a part of this public discussion about coming up with a
solution," Niskanen said. "And we want to help other agencies who
might go through this similar situation because we're angry, we're
frustrated, we're disappointed with this employee."

Cashing in

The rush is already on to cash in on this and other data breaches
involving driver's license records.

Litigation has become rampant in breach cases, ever since former St.
Paul police officer Anne Marie Rasmusson received more than $1 million
in settlements from local governments after alleging DVS misuse.
That's partly because federal statutes say a court can award minimum
damages of $2,500 per violation.

A Washington County man, Jeffrey Ness, filed a federal lawsuit
Wednesday against state officials and Hunt -- identified as John Doe
-- after learning he was one of 5,000 people whose driver's license
data was viewed. The suit, first reported by the Associated Press,
seeks class-action status.

Thomas and Richard Whigham of St. Paul and Woodbury, respectively,
also filed suit against the DNR on Friday seeking class-action status.
The firm representing them is simultaneously pursuing a case against
Capital One Bank and a repossession company related to a breach of
driver's license records in April 2012. That case is still being
reviewed for possible criminal charges.

Meanwhile, an attorney in Mankato is reaching out to victims of the
DNR breach asking if they would like to make a claim. A Star Tribune
reporter whose data was accessed received a letter in the mail from
attorney Scott Kelly with the Farrish Johnson Law Office, which is
also pursuing a class-action suit in Rock County over DVS misuse.

"We are looking at other agencies including the DNR where abuses
occurred," the letter says. "If you are interested in pursuing a claim
or would like information about your rights, please feel free to
contact me."

Kelly said Friday that his firm only sent letters to two people in
relation to the DNR case.

After reviewing state records and filing open records requests, he
believes that a minimum of 18,000 driver records have been breached
over the last three years.

"Our intent is that if the Department of Public Safety and these
agencies can't control it, that we will do whatever we can to enforce
the law," Kelly said.
_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://datalossdb.org/mailing_list

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security equips organizations with security intelligence, risk
management services and on-demand security solutions to establish
customized risk-based programs to address information security and
compliance challenges.