The infamous data breach of 2015 at the Office of Personnel Management (OPM) compromised more than basic personal identifying information (PII). Entire government dossiers on cleared individuals were lost. Millions were affected. One would have thought this event, coupled with the tightening of data protection schemes across industry and government would have tightened every ship. But this has not been the case -and the breaches that have occurred at both the United States Department of State, and the application misconfiguration at the government payment processor GovPayNow are proof.
State Department Breach exposes PII
The breach which occurred at the State Department involved the unclassified email server supporting employees and contractors. Politico, received a copy of an internal “Sensitive but Unclassified” notification posted on the Department’s intranet’s Knowledge Portal advising all employees of a “potential PII breach.”
The notification advises that less than one percent (1%) of employee inboxes were affected. The piece continues to explain that some employees PII may have been exposed and those employees have been notified. Those affected will be receiving three years of credit monitoring and identity monitoring services.
What exactly happened is not explained, beyond, “The Department recently detected activity of concern in its unclassified email system.” With a work force of approximately 75,000, this event affected approximately 750 employees.
An additional concern is the fact apparently two of those 75,000 decided that “Sensitive but Unclassified” did not preclude sharing the information with the media. These trusted insiders with intranet access decided, based on their own internal moral compass, that breaking trust with the Department was warranted. Perhaps the Department’s insider threat program has already determined their identity. Their action, by any measure is disturbing.
It begs the question: “What will they share next?”
Government Payment Service poor configuration exposes PII
Noted security investigative reporter, Brian Krebs, highlighted the leakage of 14+ million records by Government Payment Services, Inc., (aka GovPayNow) a company which provides online payment support to U.S. state and local governments. Those entities use the service to facilitate the payment of fines, taxes, and other debits levied upon the entities’ constituents.
The leaked information, according to Krebs, included, “names, addresses, phone numbers and the last four digits of the payer’s credit card” for those who used the service during the preceding six years. Until notified by Krebs, it was possible to view the payment receipt by simply altering digits in the URL.
The company, once notified, corrected their implementation error. This company’s parent, Securus Technologies, has been highlighted multiple times in 2018 for their errors in backend architecture, according to Krebs.
This drives home the point, that data security architecture must include every aspect and that user or provider convenience must not take a backseat to security and preservation of privacy.
The adage, “don’t collect, what you can’t protect” seems to apply to this cybersecurity lapse.
