York County officials detected an intrusion into a Web server containing personal information on thousands of job applicants and vendors, they announced Friday.
The breached Web server contained a database with thousands of names and Social Security numbers of current, former and prospective job applicants and vendors.
On Friday, the county mailed out 16,981 letters to potential victims, said Joel Abernathy, director for York County’s information technology department.
County officials discovered the intrusion during routine maintenance on Aug. 29, 2011, he said.
The server contained an old backup database of an old online application, “and that’s where the majority of (the names) were,” he said. “The database could be 12 to 15 years old” and contained about 12,500 names.
The remaining names came from a newer database collected up until Aug. 29, when the county detected the intrusion and shut down the database.
County officials made a copy of the entire server and sent it to the State Law Enforcement Division, the S.C. Sharing Analysis Center, and local authorities for investigation.
Forensic testing showed that the vulnerability was in an application on the county’s website. Abernathy said the county has been working to “tighten up” the website’s security, rewriting pages and implementing new security measures.
Abernathy and County Manager Jim Baker said the county has done some “spot checking” for unauthorized uses of the information by having employees run credit checks on themselves.
Having employees check their credit is a reliable way to know whether the intruders took any information from the system, because data thieves don’t just take a few names, Abernathy said.
About 1,000 York County employees were notified Friday morning that their information was on the breached database.
So far there have been no indications that any information left the server, Abernathy said.
Forensic testing of the server done with a state agency revealed “no smoking gun,” he said.
There were suspicious files on the server, but no logs showing information being dumped from the site, he said.
Baker said that sometimes hackers will breach systems just to show they can.
All evidence suggests that’s what happened in York County, he said. “But you can’t always be sure.”
It’s been almost nine months since York County officials learned of the breach in the system.
South Carolina law requires no specific timeframe for notifying potential victims. Notifications must take place in “the most expedient time possible and without unreasonable delay,” while being “consistent with the legitimate needs of law enforcement … or with measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system.”
Stuart Rossman, an attorney and director of litigation for the National Consumer Law Center, said he doesn’t think a nine-month delay would be considered by many as reasonable.
Rossman, whose legal work is with the private – not public – sector, said in the private sector victims of security breaches must be notified immediately unless there’s a law enforcement investigation that requires delay.
He’s not sure why a breach occurring in the public sector would change the seriousness of the incident, he said.
“The consumer needs to know as quickly as possible,” he said. “It’s the best warning system.”
According to Baker, after state and local agencies investigated the breach, no one was thinking about disclosure because “given the nature of the intrusion, it didn’t appear to anybody that there was a likelihood that anyone had used any of the data in the files,” Baker said.
The crime scene didn’t indicate a motive of stealing data because the breach was in a back-up database and vendors’ information was similar to what would be in the phone book – not “fertile” territory for somebody “looking to do identity theft,” he said.
The file left behind was another clue that identity theft wasn’t the motive because usually data thieves will remove anything left behind to conceal the crime.
But after the investigation with the state, authorities decided that despite no evidence of stolen information, the hacker did breach York County’s firewall, and in accordance with state law, they decided to notify potential victims.
Another reason county officials didn’t immediately send out notifications was out of fear of attracting other threats, Abernathy said, adding that even private notifications would have become public quickly, at which point York County would have become a target.
“If you’re vulnerable and you notify, you notify the world that you’re vulnerable,” he said.
County officials worked closely with state agencies to secure its system, implement new firewall security and began the process of notifying potential victims in December, Abernathy said.
Abernathy said authorities traced the hacker overseas, but couldn’t provide a more specific location.
“It’s embarrassing to us,” Baker said Friday. “We don’t ever like to see that happen to any data that the county holds. I wish I could say there’s a foolproof way (to prevent it), but I can’t.”
Abernathy stressed that web threats are always evolving, and what is secure today may be vulnerable tomorrow, he said.
“That’s one of the biggest messages we want to get out. Make sure you’re taking care of your personal information,” he said.
On the web
For more information on York County notification policies, visit York County’s website at www.yorkcountygov.com/notification or call 803-818-6891 for assistance, Monday through Friday 8 a.m. to 5 p.m.