While performing a routine Web search on the morning of October 20, 2010, I discovered a data breach. The Web search, containing two keywords, gave one, and only one, search item, which was curiously titled “MySQL Database Dump.” When I clicked on the link, a database opened containing over 1,400 consumer profiles with over 100 fields of personal information for each consumer victim. At first glance, the database appeared to be a compilation of job applications.
The search result appeared because the database contained the two specific key terms that I searched—a company name and job title.
Each field contained a different personal identifier— everything from the job applicant's Social Security number to details about the applicant's criminal history. The dump was dated September 2, 2010, indicating that the personally identifiable information was accessible to anyone on the Web for the last 48 days.
The owner of the domain name that corresponded to the link to the database was an award-winning Website developer that specializes in financial services websites. I promptly contacted the company to report the problem so they could take action to secure the information. I thought I would do my ethical duty to make them aware of the problem, and I would go on with my day. However, the telephone conversations I had with them were astounding.
I provided my full name, contact information, the reason why I was calling and I asked to speak to the security officer. The technical person that I spoke to did not know what a security officer was. The employee was uncooperative in providing a name and title of a person to whom I could report the security breach. During my explanation of the situation and the urgency, my call was dropped.
I telephoned the company again. This time a different person answered the phone. The person apparently was prepped for my call by the coworker that seemingly hung up on me. This company employee was outright belligerent. He claimed to be the responsible person and company’s software manager, however, he out-and-out refused to give me his first or last name when I asked to whom I was speaking.
Again, I provided my full name, telephone number and Website address, and told him I would provide him the details of the data breach if he would simply provide me his name so I had a record to whom the breach was reported. He refused.
What came next was shocking. He made the assertion that the motive for my call was to extort money from the company. He claimed the company did not have any employee data or Social Security numbers, suggesting my call was a ruse. On multiple occasions, he referred to me a "Jack Ass."
As discussed in part one of this article, federal laws that apply to financial institutions require that both the financial institution and their vendors comply with the Gramm-Leach-Bliley Act’s Safeguard Rule. The Rule requires that the entity appoint a person to oversee a security program. The Act was enacted more than a decade ago to protect the privacy of consumers and to prevent identity theft.
Finding myself in a quandary over the situation, I contacted the Wisconsin Department of Justice for advice, and I left a message for the appropriate inspector to call me regarding the incident. The inspector returned my phone call at the end of the day, but only to surprise me with an unexpected line of questioning.
Part 3 of this series will discuss the additional communications that we had with Wisconsin financial institution, law enforcement and regulatory bodies concerning the reporting of this data breach.