Ok, I’m being a little facetious.
However, 3.5 million people are to receive free credit monitoring, courtesy of Texas Comptroller, Susan Combs, according to The Dallas Morning News. The monitoring may cost the state up to $21 million. Why is the state doing this?
Ms. Combs announced that Social Security Numbers and other personal information had been available via a public server at her agency for more than a year. That’s almost as bad as things can get – just short of a state actually colluding with breaching entities – when you’ve got publicly accessed resources, with sensitive personal information of millions of people exposed, laying out for the taking. Rather incredible, when you think about it.
According to the comptroller’s office, they discovered this problem March 31st, however, they didn’t notify the attorney general’s office for a week’s time. They then waited another 10 days or so before informing the public.
The time lapse was defended, though, and we can certainly trust the comptroller’s office’s judgment, no? (Facetious mode back on, just then – ok, back off now –>) They needed time to study the problem; and it’s good that they set up a call center and informational website in readying for public notification.
Still – anything could have happened in the approximately 3 weeks lag: I know that if my personal, critical, data was hanging out there for over a year, I want to be told now, and I want to know the vulnerability is sewn shut, also as of now.
While there is no evidence of misuse (as of… er, now), we can note something besides the necessity for timely notification to stakeholders (in this case, the public). That something is the enormous leverage to be had in proactive protections. Imagine the simple security procedures – that is, security and data audits, paired with the best progressions of security reviews, policies and plans – that can be cost-apportioned over the entire Texas state server and application farm – in making all information activity and related data as secure as possible.
What we here in the Weave call:
A modern arena for doing things right – right on time.
But you have to have a Business-Technology Weave with all modern, leading, sensibilities and practices in thwarting new threats, evolving threats, and stupid old threats – like someone setting up and running servers that contain critical data, with wide-open access.
Might be a good reminder to audit your own security standing and practices.
As a final thought: Is human error, such as laying out the wrong data for potential public consumption, really a breach? Isn’t that a measure of simple human error? If you dynamite a bank vault and make off with money, you’ve breached that vault. However, if a bank leaves a vault open overnight, with the front door wide open, and we then stroll in and fill suitcases with money and plunder – is that a breach? It’s not quite the same thing. Stay tuned… I think breach vs. human error merits a little more thought…
NP: Thin Lizzy, Live and Dangerous, on CD. (But some vinyl will spin tonight)