As if the unemployed need one more thing to worry about

If you actively collect data from third parties, the collecting entity has a special responsibility. This is especially the case when the data and information is required. In this case, any volition is negated by the strict requirement for all practical purposes. The collecting agency becomes the steward of the information. The agency is responsible for maintaining the data, securing the data, and ensuring this is only provided to the appropriate authenticated party(ies). This is manifested as not just providing it to anyone who asks for it, ensuring it is secured using the industry best practices, and other appropriate measures used as the industry standards. This chain of trust was broken in early 2017.

Incident

The issue occurred with the Unemployment Insurance Agency (UIA) in January 2017, when it came to light. For some reason, the ACLs were modified. The UIA has termed this a "glitch". This unfortunately allowed the staff at the payroll processing company access to other's names, social security numbers, and wages of employees. The payroll companies were not authorized to view this. There was a silver lining to this situation; at the time of the investigation, there had not been a sign that the unauthorized records had been accessed.

Although the evidence does indicate this, the persons unauthorized to view this indeed may have viewed the records and secured the data held therein. This could be used years in the future, as a detriment to the persons involved.

Lessons

With any decision or modification, there should be a process in place. Any of these changes should not be made without thought being placed into it. There should also be some form of an audit trail, to show what the change should be, who approved it, and possibly who the process of implementing this should be applied to. With these steps in place, any manager would be able to note who approved the alteration to the ACLs to allow persons with no business having access to these records the access, and when it was done. This does take a bit more time, however the issues this would have resolved much quicker and accountability applied, regardless if this was a simple oversight or an error.

About the Author - Charles Parker, II has been working in the info sec field for over a decade, performing pen tests, vulnerability assessments, consulting with small- to medium-sized businesses to mitigate and remediate their issues, and preparing IT and info sec policies and procedures. Mr. Parker’s background includes work in the banking, medical, automotive, and staffing industries.

Check back soon

Once posts are published, you’ll see them here.

Cybersecurity and Linux SSH Servers

Cybersecurity and the Auto Industry

Cybersecurity and the Energy Sector

Cybersecurity and Costs

Cybersecurity and Electronic Health Records

Cybersecurity and IoMT

Cybersecurity and Obscurity

Cybersecurity and New Devices and Old Problems

Cybersecurity and the Diversity of Data

Cybersecurity and Compromises

No tags yet.

As if the unemployed need one more thing to worry about

Featured Posts

Recent Posts

Archive

Search By Tags

Follow Us