The state Department of Rehabilitation (DOR) has notified nearly 2,000 employees by letter and will offer them 12 months of credit monitoring, following a recent incident in which confidential personal information was made accessible to staff on an internal hard drive, the agency confirmed to Techwire.
In the episode, characterized by DOR Information Security and Privacy Officer Dolly Roco in the Jan. 24 letter as a “data security incident” and “possible data breach,” a spreadsheet displaying staffers’ classification information and Social Security numbers was saved in a folder on DOR’s internal G drive (The name is agency nomenclature.). The information, to which only DOR employees had access, was stored on the agency’s internal network during four business days, in a six-day period from Jan. 9-14, Roco said in the letter. On Jan. 14, during “the regular course of business,” Roco said, an employee accessed the letter and “promptly reported that the file included Social Security numbers.”
“We regret that this incident occurred and want to assure you that we are committed to protecting your personal information. We recognize that mistakes happen and are working to identify checks and balances that can be implemented to reduce the risk of this type of incident occurring in the future. Also, while we have no reason to believe that your personal information may have been misused, and out of an abundance of caution, we have decided to provide you with twelve (12) months of credit monitoring,” Roco said in the letter.
The spreadsheet contained first and last names, Social Security numbers and classification information for roughly 1,973 people, DOR Communications Manager Connie Nakano told Techwire via email. The classification information was public information and the spreadsheet was stored on the G drive in a subfolder within a folder, Nakano said in a follow-up conversation. DOR is not aware of any other employees who looked at the spreadsheet, she said in the email. Additionally, G drive folders and subfolders are “access restricted” to different employee groups; and the data does not appear to have been misused as a result of having been accessible to employees.
“We know of no occurrence in which the data was breached or misused as a result of this incident,” Nakano said.
The agency took immediate action on Jan. 14, deleting the spreadsheet from its internal drive and restricting access to the folder in which it had been saved. DOR “then began investigating how the document was placed on the drive and potential impacts, as well as initiating the notification processes,” Nakano said.
The department reported the incident on the Search Data Security Breaches page of the state Attorney General’s website on Jan. 25 and included a copy of the letter to affected employees. In accordance with California Civil Code, a business or state agency must notify residents whose “unencrypted personal information, as defined, was acquired, or reasonably believed to have been acquired, by an unauthorized person,” the webpage said, citing the law. The law also mandates a sample copy of a breach notice sent to more than 500 residents must also be provided to the Attorney General. Contacted by Techwire, a representative of the Attorney General’s press office referred a reporter to DOR.
Letters were mailed to employees on Jan. 28 and DOR is planning the training it will offer in hopes of avoiding a future incident, Nakano said.
“We don’t have the training schedule finalized yet, but it would be the training that would come from our information security office. They would be training, likely, all DOR staff,” Nakano said, indicating employees who work with sensitive information would likely be trained first. The sensitive information in the spreadsheet is “regularly retained for pay or salary-related purposes,” and was downloaded from an external database belonging to the state Controller. Social Security numbers should have been redacted, Nakano said.
DOR’s posting was noticed by officials at San Jose-based Dtex, a leader in user behavior intelligence and insider threat detection. Rajan Koo, the company’s vice president of customer engineering, who oversees its insider threat analyst team, said it’s essential to have monitoring in place to scrutinize data storage and transfer.
“In this case, it really appears that the state is doing the right thing. They’re notifying the potentially affected individuals. We want to be able to train and educate the end user as quickly as possible (after) the incident occurs. So, you’re not just mitigating the risk related to the potential exposure of that data, you’re reinforcing good behavior in individuals. And that’s essentially what we classify as a teachable moment,” Koo told Techwire.