Welcome to the SecAware blog

I spy with my beady eye ...

1 Jun 2007

Privacy breach affects 25,000 DOT employees

A security breach on a server at the end of May created a privacy incident, exposing the names and Social Security Numbers of ~25,000 North Carolina Department of Transportation employees and contractors. Based on information in the press, I presume the server was used to record employee ID badges - most likely a database system used by physical security people I guess.

People who used their employee identification number instead of their Social Security number are not at risk.

Social Security Numbers are convenient personal identifiers for American citizens since they are more unique than full names. However SSNs are supposedly secret numbers (like credit card numbers) so systems and processes should avoid using them unless it is essential (i.e. for social security-related purposes). Systems that have to use SSNs for some reason need appropriate security measures including strong system and data access controls with encryption.

US public bodies have been known to post official documents containing SSNs online.

It seems to me the real problem with SSNs is their use for authentication as well as identification of individuals. Biometrics would make much better authenticators, and we'll be covering biometrics in next month's NoticeBored security awareness module. Watch this space.

No comments:

Post a Comment