Another week, another breach…and I didn’t have to spend a week on vacation to read about this one. Off we go to the Lone Star State where yes, everything is bigger in Texas…3.5 million. That is a lot of records to be involved in a single data breach. If one were to use a cost of $200 per record, well…you can do the math and it is a BIG number. However at this time, the State of Texas hasn’t offered any free credit monitoring services, but they have set up an informational website. The story goes that the personal information was on a public facing website. The information was names, addresses, social security numbers, driver license numbers, etc… the kind of information that shouldn’t be on a public website. http://www.txsafeguard.org/
In most organizations the people that have access to that kind of information work for Human Resources (HR) and I will assume that is the case with the State of Texas also. So one of two things happened; (1) HR personnel has privileges to post information on a public website or (2) IT personnel, say maybe the web support team, had access to HR data and downloaded it and posted it on the website. For now, let us assume #1; although both scenarios lead to the same root cause.
Why does the HR person have access to post information to a website? I could understand an internal human resources SharePoint site but not a public facing website. I would have to consider this inappropriate access and it should have been identified during a periodic review of accesses or during an audit. If neither of these reviews is performed on a recurring basis, then the State of Texas probably has lot bigger problems waiting to be identified. It is also reported that a number of people have been fired over the incident. If departments involved haven’t been audited then the wrong people have been fired. If they have been audited recently, then the State of Texas needs to find different auditors.
This is just another example of the importance of implementing an access review process, monitoring of privileged accesses, and have a 3rd party come in once in a while and verify that everything is being done the way it should be.