The U.S. Department of Housing and Urban Development (HUD) announced in mid-November via a posting buried on the privacy page of their website, two separate cybersecurity data breach incidents occurred which impacted more than 500,000 individuals. The general public learned of the breaches during Thanksgiving week, bringing new meaning to the term Black Friday
HUD EZ/RC Locator
On August 29, 2016 an online tool supporting the HUD EZ/RC locator service was asking for “excess’ information. This data included the most precious of personal identifying information (PII) – one’s Social Security Number. This information collected by HUD was stored on an unsecure web server. HUD advises that 50,727 individuals had their sensitive PII exposed. HUD advises the Locater has been shut down.
HUD website
On September 14, 2016 HUD discovered that PII was being made available through its website. The information which could be harvested included name, public housing code and last four of an individual’s Social Security Number. This breach of security protocols impacted 428,828 public housing residents.
HUD issued a public statement:
In both instances, HUD removed access to the associated web pages and links as soon as the disclosures were confirmed. HUD also conducted further review to determine the scope of the incidents, the extent of data exposed, and likelihood of unauthorized use of the information. To date, HUD has no evidence that any of the data has been used inappropriately.
HUD’s letter to those impacted
In the letter sent to those impacted, dated November 5, 2016, HUD’s Senior Agency Official for Privacy, Helen Goff Foster, offered HUD’s apology, explaining the incidents with candor, “HUD does not know if your information was accessed or used during the time it was available on our website.” Impacted individuals may sign-up for credit monitoring services at no cost.
Hardening Data
Our new Federal CISO (Chief Information Security Officer), Gen. Gregory Touhill, recently highlighted to all government agencies the need to harden the security and processes surrounding the handling of citizens’ personal data. The HUD data breaches are a prime example of carelessness putting the PII of hundreds of thousands of HUD constituents at risk.
Every entity which requests data from their clients, customers or constituents must conduct a data flow audit. This audit need not be particularly onerous, but it absolutely must contain the basics.
In the first HUD breach, the data being collected was not required. How does a form contain fields which aren’t needed for the purpose required? -Copy and paste is often the culprit. Other reasons include lack of discussion between those requiring the data and those creating the means to have the data collected. When engineers and clients talk but don’t communicate, oversights such as this occur.
In the second instance, the website collected the data required for HUD to provide the constituent with the desired services. It was only when stored that HUD did these individuals a disservice. Again, attention to detail is the culprit. As explained in the HUD announcement, the data was stored in an unencrypted state. A data flow audit, which asked the basic question concerning whether data was in a protected or unprotected state during each step of the data flow from the constituent to the HUD official using the information would have revealed that the data at rest was vulnerable.
We can do better. We must do better.