Security breach releases personal information of Allen County employees

[Erica Absetz <erica () riskbasedsecurity com>]

http://www.limaohio.com/news/local_news/article_01fb7dc0-96e0-11e2-97b9-001a4bcf6878.html

LIMA — Allen County Information Technology Department officials
discovered March 21 more than 1,100 Allen County employees had
personal information accidentally made available to unauthorized
users, including social security numbers.

“The breach was determined and blocked within minutes of the county
becoming aware of it last Thursday,” said Allen County Prosecutor
Juergen Waldick, during the weekly Allen County Commissioners’ meeting
Wednesday morning.

All 1,152 county employees had confidential information exposed that
included social security numbers, the Allen County Commissioners said
during a Lima News Editorial Board meeting Tuesday. Some retired
county employees also were affected. No one is believed to have
misused any of the information.

The exact manner of how the information was released and how long it
was made available for others to see and/or access was not discussed.

“There’s nothing to hide,” said Jay Begg, Allen County commissioner.
“It’s just that we want to be sure employees’ identities and
information are protected before we tell everybody what happened.”

The confidential information released did not include any financial,
retirement or health care information, Waldick said.

“While there is no indication that any individual’s information has
been improperly used, the county has taken appropriate steps to
protect its employees from the consequences of the breach,” Waldick
said.

Cory Noonan and the other Allen County Commissioners assured the
release was not intentional.

“It wasn’t something that someone maliciously did,” Noonan said. “We
learned a lot more about the Internet in the past couple days.”

Allen County Administrator Becky Saine said the county purchased
one-year Lifelock security memberships for all affected employees, at
a total cost of $25,000. Lifelock is an identity theft protection
company that monitors threats and notifies users of any suspicious
activity.

Although the information no longer is available and there are no signs
of any information being misused, the information could have been
copied during the time it was posted. Most employees have been
notified of the issue via phone calls and letters.

“Since this did involve some employees who recently retired, we have
made every attempt to contact them, and in most cases, contacted all
of them,” Waldick said.

A letter dated March 22 gave a county employee instructions to obtain
the free Lifelock membership.

“We have no reason to believe that any information has been or will be
used in an inappropriate way; however, out of an abundance of caution,
we want to make you aware of the event,” the letter read. “The Allen
County Commissioners have retained Lifelock(R) to provide one (1) year
of complimentary identity theft protection.”

Employees, who were given various passwords and passcodes to apply,
have until May 1 to enroll in the service.

Followup questions about the incident were referred to Waldick, who
was out of the office and unavailable for further comment Wednesday
afternoon. Calls made to the Allen County Information Technology
Department were not returned.
_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://datalossdb.org/mailing_list

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security equips organizations with security intelligence, risk
management services and on-demand security solutions to establish
customized risk-based programs to address information security and
compliance challenges.