5,000 notified of DNR security breach

[Erica Absetz <eabsetz () opensecurityfoundation org>]

http://minnesota.publicradio.org/display/web/2013/01/15/news/dnr-employee-public-records

ST. PAUL, Minn. — The Department of Natural Resources is notifying
about 5,000 Minnesotans that an employee improperly accessed their
driving and motor vehicle records.

The Bureau of Criminal Apprehension investigated and the employee
allegedly involved no longer works for the department, DNR spokesman
Chris Niskane said. He could not divulge why the employee allegedly
looked at the records or whether the employee was fired.

No criminal charges have been filed so far.

"We don't have any tolerance for this kind of behavior," Niskane said.
"We take this responsibility pretty seriously and we're looking into
every possible avenue to ensure that it doesn't happen again."

Niskanen said it is unlikely the data were used for criminal purposes,
but he advises anyone affected to monitor their credit reports. The
agency reported the breach to the three main credit reporting
agencies.

"We sent these letters out because it's the right thing to do. It's
the right thing to notify people when something like this happens,"
Niskanen said. "We believe that there's a very low risk of any sort of
malfeasance here. It doesn't appear to be so, but we wanted folks to
know."

Niskanen also could not identify where the employee worked in the DNR,
but said "several hundred'" DNR employees have a "business
need-to-know'" that gives them access to the data, including people in
game and fish licensing; those who investigate game, fish and
recreational vehicle violations; and those involved in registering
recreational vehicles including ATVs and snowmobiles.

It's illegal to access drivers' license data without a legitimate
government purpose, but state audits have found that misuse is common
and a number of public employees have faced discipline for it. Several
cities have recently agreed to settlements totaling over $1 million
with a former Eden Prairie police officer who alleged her private data
was improperly viewed by more than 140 officers from various
departments.

In a statement, DNR Commissioner Tom Landwehr said, "The agency is
implementing additional employee training and looking into ways to
monitor access to the data to ensure it doesn't happen again."
_______________________________________________
Dataloss-discuss Mailing List (dataloss-discuss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://datalossdb.org/mailing_list

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security equips organizations with security intelligence, risk
management services and on-demand security solutions to establish
customized risk-based programs to address information security and
compliance challenges. 

Tenable Network Security (http://www.tenable.com/)
Tenable Network Security provides a suite of solutions which unify real-time
vulnerability, event and compliance monitoring into a single, role-based, interface
for administrators, auditors and risk managers to evaluate, communicate and
report needed information for effective decision making and systems management.