The extensive online information on each of the victims of the data breach required immediate securing of the information. To get the information secured, I had to inform a responsible person at a company that controlled the database. Although hesitant to do so, I browsed the database looking for clues as to who owned the database—was it the software company or one of their customers? It became apparent that the database corresponded to responses to a job application questionnaire.
One of fields in the database apparently corresponded to a question that asked the job candidate why he or she was applying for a position with the company. Several applicants referred to the prospective employer, a Wisconsin-based financial institution, by name. Upon reviewing the financial institution’s Website, I determined the Website was powered by the same software company responsible for leaving the unsecured database of job applicants accessible over the Web.
I contacted the financial institution by telephone. Predictably, it was a challenge to have the receptionist transfer me to the employee responsible for security or privacy. The receptionist challenged my premise that there was a security breach involving the financial institution’s data. She averred that the financial institution has a secure Website, and consequently I should not have security concerns.
I persistently requested to speak to the person responsible for security. After extended circular dialogue and repeated requests, the receptionist seemed to succumb to my request by asking me to provide my account number as a condition for transferring me to the appropriate person. (It should be obvious to the reader, that I was not a customer of the bank.) Persisting, I was finally transferred to someone’s voicemail, and I left a detailed message about what I discovered.
Not hearing back from the financial institution for nearly two hours, and considering the urgency of the situation, I contacted the Appleton, Wisconsin Police Department because the financial institution is located in its the jurisdiction. I discussed the data breach with the computer crimes officer, who readily duplicated my Web search and confirmed that the discovery was indeed a serious data breach. I contacted the police with the expectation that a responsible person at the financial institution would listen to law enforcement, since it was apparent that my third-party consumer reporting was not being taken seriously.
Later that afternoon , I received a call from the president of the financial institution, thanking me for my efforts in notifying them. She said they were investigating how the breach occurred, and expressed her dismay with the vendor because of their negligence with respect to handling my initial call that morning.
The president of the financial institution seemed confused and reticent when I explained that they needed to comply with the breach notification law of each of the 20 states in which the victims of the breach resided.
Later that afternoon, I received a return phone call from an inspector at the Wisconsin Department of Justice and we discussed what I had discovered and the status of my reporting. The inspector then said, “I have to ask you this question.” “When you find data breaches on the Internet, what do you do?”
“Whoa,” I exclaimed, “I don’t go looking for data breaches, I found this one by accident while doing a Web search this morning.” Apologetically, the inspector said, “I had to ask that question.” The question suggested that my reporting of the breach to the companies implied a quid pro quo.
The fourth and final part of this series discusses public disclosure of data breaches and what we can learn from this case history.