Security Manager's Journal: Breached!

13.02.2006
It finally happened. We had a security breach that could have severe ramifications for a state agency.

I was packing up to leave on a Friday when the webmaster came into my office and shut the door behind him. It was unusual for him to be in the office so late, and he looked particularly nervous. So I took off my coat, set down my briefcase and sat down. He refused the chair I offered him.

"OK, what's going on?" I asked.

"Well, uh, I think we have a problem with one of our Internet Web sites, and I'm afraid to tell you about it, but I think I have to, and I've already fixed the problem, but you might need to know about this, since you are the information security officer," he rambled. I held up my hand as if to say "Stop," and he collapsed into a chair with tears in his eyes.

I have dealt with plenty of security incidents in my time, and I couldn't imagine what could be so horrible that he was afraid to tell me. I smiled and told him to take a deep breath and start from the beginning. Here's what he told me: An employee was doing a Google search on the name of a client of the agency, when up came the URL for an agency directory. She clicked on the link and, lo and behold, the supposedly password-protected page appeared with the client's Social Security number on it, even though the employee hadn't been asked to log in or use a password. Social Security numbers are "personally identifiable" information, as defined by the Health Insurance Portability and Accountability Act (HIPAA), and we're subject to its security and privacy rules.

The employee immediately called the webmaster, who started reviewing the file structure, moving files and changing permissions, all the while generally panicking.