If you actively collect data from third parties, the collecting entity has a special responsibility. This is especially the case when the data and information is required. In this case, any volition is negated by the strict requirement for all practical purposes. The collecting agency becomes the steward of the information. The agency is responsible for maintaining the data, securing the data, and ensuring this is only provided to the appropriate authenticated party(ies). This is manifested as not just providing it to anyone who asks for it, ensuring it is secured using the industry best practices, and other appropriate measures used as the industry standards. This chain of trust was broken in early 2017.
The issue occurred with the Unemployment Insurance Agency (UIA) in January 2017, when it came to light. For some reason, the ACLs were modified. The UIA has termed this a "glitch". This unfortunately allowed the staff at the payroll processing company access to other's names, social security numbers, and wages of employees. The payroll companies were not authorized to view this. There was a silver lining to this situation; at the time of the investigation, there had not been a sign that the unauthorized records had been accessed.
Although the evidence does indicate this, the persons unauthorized to view this indeed may have viewed the records and secured the data held therein. This could be used years in the future, as a detriment to the persons involved.
With any decision or modification, there should be a process in place. Any of these changes should not be made without thought being placed into it. There should also be some form of an audit trail, to show what the change should be, who approved it, and possibly who the process of implementing this should be applied to. With these steps in place, any manager would be able to note who approved the alteration to the ACLs to allow persons with no business having access to these records the access, and when it was done. This does take a bit more time, however the issues this would have resolved much quicker and accountability applied, regardless if this was a simple oversight or an error.
About the Author - Charles Parker, II has been working in the info sec field for over a decade, performing pen tests, vulnerability assessments, consulting with small- to medium-sized businesses to mitigate and remediate their issues, and preparing IT and info sec policies and procedures. Mr. Parker’s background includes work in the banking, medical, automotive, and staffing industries.
Share on Facebook
Share on Twitter
I'm busy working on my blog posts. Watch this space!