Thursday, February 1, 2007

Vermont agency warns 70,000 of possible data compromise

Social Security numbers and other information may have been exposed

Jaikumar Vijayan    January 30, 2007 (Computerworld) -- The Vermont Agency of Human Services (AHS) today started sending letters to about 70,000 individuals in the state warning them of a computer compromise that may have exposed their Social Security numbers and other personal data.

The breach was discovered on Dec. 8 and involved a computer running an application that is used for collecting delinquent child support payments from noncustodial parents in the state. The "bank match" application is used to run quarterly matches of names with nine financial institutions in the state to establish whether delinquent parents have assets that can be used to pay off their child support obligations.

Each quarter, the state sends all nine financial institutions a list including names, Social Security numbers and bank or credit union account information for people who are behind on child support payments. If names from the list match the names of account holders, the institutions are required by state law to transmit that information -- using encryption -- back to the AHS.

But the AHS server that was hacked stored the data in unencrypted fashion, said Heidi Tringe, communications director for the state agency. Tringe added that the AHS now plans to stop keeping the information on the server altogether. "The original design called for the computer to store the data," she said. "That will no longer happen."

Not all of the personal data on the compromised computer belonged to people who were behind on their child care payments. Tringe said information about more than 58,000 customers of the New England Federal Credit Union ended up on the server because the Williston, Vt.-based NEFCU mistakenly sent more information than required to the AHS.

According to Tringe, the NEFCU on two occasions -- in July 2004 and again in October 2005 -- sent over encrypted files via a communication method not used by the state. That resulted in a larger-than-required file of information being received by, and stored on, the compromised AHS server, she said.

John Dwyer, president of the NEFCU, said the agency on those two occasions used an "all accounts" method for transferring data instead of the "matched accounts" method used by the Vermont agency. It was only on those two occasions that this sort of data transfer happened, he said.

"We were never informed of the error," Dwyer said. "If we had been, we certainly would've corrected it."

The 58,000 names represent nearly all of the NEFCU's members at that time. "We've grown bigger since then," Dwyer said.

The Windows-based system that was broken into at AHS appears to have been the target of an automated attack and not a directed one, Tringe said. "It looked like the system had been infected by several bots," which were then used to store various files on the computer -- including a copy of the TV show Bones, she said.

The compromise was detected when the agency's IT staff noticed several of its computers being pinged by the breached server, she said. According to Tringe, the compromised server had "several weaknesses that could have been exploited," including a missing Microsoft Corp. security patch, she said. "Unfortunately, we have no way to determine what particular weakness was exploited." In this case, there is evidence of suspicious activity occurring on the computer prior to the patch being released.

"Our initial exams showed no evidence to indicate that any personally identifiable or financial information had been accessed," she said. But since there is no way of confirming that, the state decided to alert individuals of the potential compromise of their data, she said.

Letters are being sent to account holders at the following nine institutions: Central Vermont Public Service Employees Credit Union, First Brandon National Bank, Federal Family Credit Union, Granite Hills CU, Merchants Bank, New England Federal Credit Union, Northfield Savings Bank, Opportunities Credit Union and the Vermont State Employees Credit Union.


Made4biz Security Translating real-world security knowhow into state of the art security systems.
Made4biz Security

Turn on Sound for Demos:
Bill Gates Demo (Location-based)
Elvis Demo (Location/Context-based)
Clint Eastwood Demo (Temporal-based)

Powered by Blogger

Subscribe to
Posts [Atom]

Technorati Profile

RSS Syndication

Made4Biz Security Inc